Risk culture, appetite, and tolerance Flashcards
Why do many organisations have risk-appetite frameworks and statements?
Risk appetite must align to what?
Why is it not possible to completely eliminate risks that only have a downside? (2)
Is it practical to completely eliminate risks?
By determining and communicating its appetite for risk, an organisation can do what?
To help them to keep their risk profile within acceptable parameters, while at the same time exploiting upside opportunities that help them to achieve their objectives
Culture = is an important intangible asset of all organisations
May be because (1) the cost would be too high or (2) because a degree of residual risk will remain as long as a particular activity or process remains in operation
No because exposure to risk may have positive and negative outcomes
Can ensure that risk and return is balanced in a logical and consistent way and ensure that downside risks are controlled in a cost-effective way
DEFINING RISK APPETITE
There are may definitions of risk appetite, but what are the 2 perspectives that most fall into?
What is the textbook definition of risk appetite?
- Definitions that define risk appetite in terms of the level of risk exposure that an organisation is prepared to accept
= Tend to focus on downside risks that may only result in losses - Definitions that define risk appetite in terms of an organisation’s willingness to take a defined level of risk in the pursuit of its strategic objectives
= Recognises that exposure to risk can be good, as it can lead to positive outcomes
The amount and type of risk that an organisation is prepared to pursue, retain or take
THE ROLE OR RISK APPETITE
What are the 3 roles that risk appetite plays?
How can using the concept of risk appetite add value to an organisation?
What can better strategic decisions mean? (2)
What can better risk-management decisions mean? (2)
What can better governance and internal control mean?
- support RM decisions
- risk governance and internal control activities
- support strategic decision making
Organisations that define their risk appetite should be able to make better strategic and RM decisions, and improve governance and internal control because decision makers have a clear understanding of the risks that the organisation is/isn’t willing to take
Better strategic decisions = organisation shouldn’t (1) enter investments/activities that expose it to excessive risk or (2) be overly conservative and pass up value-adding investments/activities
Better RM decisions = organisation can (1) allocate limited RM recourses more efficiently and (2) improve buy-in for RM activities by highlighting the consequences of not maintaining appropriate levels of risk exposure
Better governance and IC = should reduce the chance of organisation making inappropriate risk-management decisions
THE ROLE OF RISK APPETITE - SUPPORT RISK-MANAGEMENT DECISIONS
How does risk appetite support risk-management decisions?
What 3 things can risk appetite be used to identify?
Determining risk appetite helps do what 3 things?
= risk appetite acts as a benchmark for RM decisions = helps determine whether a given level of risk is ‘within appetite’
Can be used to identify:
1. Risk events an organisation should reduce its exposure to because downside losses are too high
2. Risk events that need relatively little attention because exposure is ‘on appetite’;
3. Risk events that an organisation should increase its exposure to, because opportunities may otherwise be missed
Determining appetite helps:
(1) Efficiently allocate limited RM resources (targeting resources where they are needed most)
(2) Improve buy-in for RM activities by highlighting the negative consequences of not maintaining appropriate levels of risk exposure
(3) Provide a clear benchmark for RM activities, preventing overcontrol and excessive risk taking
THE ROLE OR RISK APPETITE - RISK GOVERNANCE AND INTERNAL CONTROL ACTIVITIES
How does risk appetite help maintain appropriate corporate governance?
What should this help an organisation do?
It is common to use risk appetite as a mechanism for what?
Why should care be taken when using the concept of risk appetite to set absolute limits for risk exposure?
What is risk premium?
What does risk premium help to clarify?
How can risk premium be expressed in finance and accounting terms?
= risk appetite can constrain management decision-making, ensuring that they do not expose it to an excessive amount of risk or make overly conservative decisions that generate an insufficient return
Should help an organisation to achieve its objectives and satisfy the needs of stakeholders
Common to use risk appetite as a mechanism for limit setting on total exposure to risk
Because, rather than absolute limits, it is more logical to set relative limits (known as the risk premium)
Risk premium = the rate of return required for risk-taking. The higher the level of risk exposure, the higher the risk premium
Helps to further clarify the balance that an organisation needs to maintain between risk and return
Through the concept of risk-adjusted return = A return that is risk adjusted is discounted to reflect the potential for downside losses
* The greater the exposure to downside loss, the greater the discount rate
THE ROLE OR RISK APPETITE - SUPPORT STRATEGIC DECISION MAKING
An organisation cannot make effective strategic decisions if it does not have what?
Why is not sufficient to just assess returns and risk exposure?
Without an understanding of its appetite for risk, an organisation will be unable to what? Which may lead it to do what? (2)
Risk appetite can be used to ensure that an organisation? (2)
If it does not have a consistent benchmark to help it weigh up the positive and negative outcomes that might occur as a result of these decisions
Because an organisation must decide whether the level of return is sufficient for the risk taken
An organisation will be unable to balance risk and return effectively = organisation may:
(1) pass up value-adding opportunities
(2) make inconsistent decisions that expose it to too much or too little risk
Risk appetite can be used to ensure that an organisation:
- does not enter into investments or activities that expose it to an excessive amount of ris
- is not overly conservative: stifling innovation and passing up investments or activities that should add value
RISK TOLERNACE
When may the term risk tolerance be used instead of risk appetite?
What are tolerance limits used for?
Name 2 examples.
How does the concept of risk tolerance complement risk appetite?/Tolerance limits may be set for what?
Tolerance limits can be linked to the concept of what?
Where the focus is on downside risk
Used to express a clear limit of exposure to risk events that will generally have no upside
- An organisation may set tolerance limits for health-and-safety incidents
- Minor incidents may be tolerated, but not major incidents such as a death or serious injury
Tolerance limits may be set for categories of risks and/or for metrics such as risk, control or performance indicators, including staff turnover rates, staff absence rates, customer complaints
Tolerance limits can be linked to the concept of RAG reporting:
Red = intolerable risk
Amber = limit of tolerance
Green = the preferred limit of tolerance
RISK CAPACITY
Why might an organisation use the concept of risk tolerance and risk capacity?
What is risk capacity?
Risk capacity is usually a function of what?
Risk capacity may also be determined by who? (3)
An organisation may use the concepts of risk tolerance and risk capacity instead of, or to provide extra dimensions to, its risk-appetite framework
= the maximum enterprise-wide level of risk to which an organisation may be exposed (before risking its long-term financial viability)
Risk capacity is usually a function of on organisation’s financial strength = Organisations that have significant financial reserves or low levels of debt can normally take more risk
Risk capacity may also be determined by governments, regulators or other stakeholders
*E.g., banks may wish to lend more money to generate greater profits, but regulators may prevent them from doing so because of concerns about the risk to the financial system
EXPRESSING RISK APPETITE
Different risks may require different means of expression
What are the 2 metric-based expressions of risk appetite?
What are the 3 non-metric expressions of risk appetite?
For non-metric expressions, the risk appetite of an organisation is reflected in what?
Why should risk appetite be expressed quantitatively as well as qualitatively? (2)
Metric based:
(1) probability and impact boundaries
(2) targets, limits, and thresholds
Non-metric based:
1. statement of values
2. RM policy
3. formal risk-appetite statement
The words that it says externally and internally (to its employees)
A. Not all risks can be quantified = Where categories of risks can be quantified to a degree, it is usually appropriate to have quantitative expressions of risk appetite for these risks.
B. Where risks cannot be quantified, either because of a lack of data or because historical trends are an unreliable indicator of the future, it is necessary to express risk appetite in a qualitative way
EXPRESSING RISK APPETITE - METRIC BASED - PROBABILITY AND IMPACT BOUNDRIES
Where probability and impact are assessed quantitatively or qualitatively, it is possible to do what?
What is the common approach for operational risks, including health and safety or pollution risks?
The boundary between ‘in’ and ‘out’ of appetite is set at a what?
When should risks be controlled?
It is possible to establish risk appetite limits for probability or impact
The ordinal scale approach to assessing probability and negative loss impacts:
Negative Impact →
Probability↓ 1 2 3
1 1 2 3
2 2 4 6
3 3 6 9
The boundary between ‘in’ and ‘out’ of appetite is set at a combined probability and impact (exposure) score of 6 or more (Can also be combined with RAG rating) = Risks scoring 6 or more = out of appetite (red)
Ideally risks should be controlled when in the amber range (3-4 score) to prevent moving to red
EXPRESSING RISK APPETITE - METRIC BASED - TARGETS, LIMITS, AND THRESHOLDS
The targets, limits and thresholds set by an organisation are a reflection of what?
What is a target?
When are they used and how are they expressed?
What is a limit?
When are they applied? (2)
What are thresholds often linked to?
Thresholds may be used in conjunction with what?
A a reflection of its appetite for risk
A target = a value that an organisation is aiming for
- Most often set for strategic risks that may have a positive or negative outcome
- Targets may be for a single objective (e.g., to grow market share by 5%) or expressed in ranges and linked to the concept of RAG reporting
A limit = denotes the maximum or minimum value that an organisation is prepared to accept
- Limits are most commonly applied to downside risks = there is a strong link with the concept of risk tolerance
- Limits may be applied to customer complaints
Thresholds are often linked to the concept of RAG reporting
= An organisation may set a green-amber threshold and an amber-red threshold that denotes when the risk or indicator is moving from green to amber and then red
Thresholds may be used in conjunction with targets and limits
EXPRESSING RISK APPETITE - NON-METRIC BASED - STATEMENT OF VALUES
What do values explain?
Where are values?
Name 3 examples of values.
Many of an organisation’s values will relate to what?
Values explains what an organisation stands for and believes in
Values are at the core of an organisation and underpins its policies, procedures, and culture
Examples of values include:
1. to behave honestly, ethically or sustainably
2. to treat people with fairness, integrity and respect
3. to put safety first
Many of an organisation’s values will relate to how risks are taken and managed across the organisation
= E.g., values like honesty are relevant in terms of compliance and internal control
EXPRESSING RISK APPETITE - NON-METRIC BASED - RISK-MANAGEMENT POLICY
An organisation may include risk-management principles in its risk-management policy.
Name 3 examples.
EXPRESSING RISK APPETITE - NON-METRIC BASED - FORMAL RISK-APPETITE STATEMENT
An organisation may draft a formal risk appetite statement explaining what 5 things?
RM principles might include:
A. only taking risks where the benefits outweigh the costs
B. not taking risks that might result in criminal prosecution
C. ensuring that RM activities maximise stakeholder value
- the organisation’s values and RM principles that relate to its risk appetite;
- any risks that the organisation has zero appetite for (such as risk of regulatory non-compliance or insolvency);
- the stakeholders that the organisation has considered in determining its appetite for risk (shareholders, customers or employees);
- how the organisation monitors its risk profile relative to its risk appetite; and
- the measures that the organisation will take where risks exceed appetite
DETERMINING RISK APPETITE - FACTORS TO CONSIDER
Why must care be taken when determining risk appetite? (2)
What are the 5 factors to consider when determining risk appetite?
Why do technological changes and periods of high economic growth promote organisation’s risk taking?
(1) if risk appetite is set too low then valuable opportunities may be missed
(2) if set too high, organisation could become financially distressed and have to cease operating
- legal and regulatory requirements;
- risk preferences of key stakeholder groups such as shareholders, customers and employees;
- specialist knowledge, skills and experience of the organisation’s GRC specialists;
- strength of an organisation’s balance sheet (which will influence its ability to withstand unexpected losses) = high levels of capital resources and the ratio of debt to equity;
- external factors such as technological change or economic growth
Technological change and periods of high economic growth can present significant upside opportunities and downside threats = organisations may increase their appetite for risk in the hope of exploiting opportunities that may generate big financial gains
DETERMINING RISK APPETITE - ROLES
What is the role of the board? (2)
Why is it not good practice for management decide the risk appetite and send to the Board for approval? (2)
What is the role of the chief risk officer and risk function? (3)
(1) To set the organisation’s risk appetite (as per the UK CG Code)
(2) To determine strategy and an organisation’s objectives
- The Board should play an active role and should consider the 5 factors carefully
- The Board is best placed to determine risk appetite because it has a broad organisation-wide view and exists to represent the interests of stakeholders
(A) help facilitate the Board’s role in setting the setting the risk appetite = may organise workshops or provide information to help the board make a decision
(B) helping an organisation to monitor its risk profile relative to its risk appetite, through production of risk reports
(C) provide expert risk control advice
