Risk culture, appetite and tolerance Flashcards
How is determination of risk appetite a mechanism for balancing risk and return? basic
Necessary to mitigate risk to limit potential downsides, however, overly mitigating risk will not be cost- or time-effective and will therefore eat into returns => balance is needed
2 perspectives by which risk appetite can be defined:
- those that define risk appetite in terms if level of risk exposure an org is prepared to accept *focus here tends to be on downside risk and understanding that it cannot be completely eliminated
- those that define risk appetite in terms of an org’s willingness to take a defined level of risk in pursuit of objectives *recognises that risk exposure can be good and therefore should be sought
3 roles of risk appetite
- Support risk-man decisions
- Support strategic decision-making
- Support risk, governance and internal control activities
How does risk appetite support risk-man decisions? (2)
- Acts as a benchmark - can then determine whether a given level of risk is ‘within appetite’
- Allows more efficient allocation of resources as above appetite risks can be targeted
Role of risk appetite re. strategic decision-making (2)
- Value-adding opportunities might be passed up if there is not a clear understanding that pursuit of them is in keeping with balance of risk and return (is not overly conservative)
- Prevents pursuit of value-adding opportunities that are not in keeping with balance of risk and return (is not overly risk-seeking)
Role of risk appetite re. governance and internal control
Constraining decision-making to ensure it is not overly risk assists in achievement of objectives and satisfaction of stakeholder needs
Which perspective of risk appetite is risk tolerance most alike?
The perspective of defining risk appetite in terms if level of risk exposure an org is prepared to accept
How can concept of risk tolerance complement risk appetite?
By being used to set tolerance limits for specific categories or risk, or for metrics such as risk, control or performance indicators
Risk capacity denotes:
The maximum enterprise-wide level of risk to which an organisation may be exposed
Why is risk capacity important?
Is taking too many decisions that increase exposure to risk (even if each decision is within risk appetite) can put org at risk of failure, as several could result in unfavourable outcomes at the same time
How is risk capacity linked to financial performance?
The stronger an organisations financial position (and their financial reserves especially), the higher their risk capacity can be as they can weather bigger storms
2 common approaches for expressing risk-appetite
- Probability and impact boundaries
- Targets, limits and thresholds
Expressing risk appetite - probability and impact boundaries (3)
Risk-appetite limits can be set on probability and impact where these are expressed quantitatively or qualitatively
- Typically, the limit would actually be on exposure, which combines probability and impact
- RAG can be employed - eg. RED to signify a risk which is beyond the appetite
Expressing risk appetite - targets, limits and thresholds - 2 short points on each
Targets
- range of values that an org is aiming for
- most often set for strategic risks
Limits
- denotes minimum or maximum value an org is prepared to accept
- most commonly applied to downside risks on basis of risk tolerance
Thresholds
- often used in conjunction with risk, control or governance indicators
- RAG reporting can be used to show movement from one threshold to another for a specific indicator
Non-metric expressions of risk appetite: (3)
- Statement of values
- Risk-man policy
- Formal risk-appetite statement
Risk appetite - examples of values which will support keeping within risk-man: (5)
- Behave honestly, ethically or sustainably
- Treat people with fairness, integrity and respect
- Put safety first
- Put customer first
- Continuously look for ways to improve
Risk appetite - examples of risk-man principles which will support keeping within risk-man: (4)
- Only taking risks where benefits outweigh costs
- Not taking risks that might result in criminal prosecution
- Maintaining a specific credit rating
- Ensuring risk-man activities maximise stakeholder value
Risk appetite - a formal risk-appetite statement will usually explain: (5)
- Org’s values and risk-man principles
- And risks that org has zero appetite for
- Stakeholders considered in determining risk
- How risk profile is monitored relative to risk appetite
- Measures org will take where risk exceeds appetite
5 common factors when determining risk appetite:
- Legal and regulatory requirements
- Risk preferences of key stakeholders
- Specialist knowledge, skills and experience of risk, compliance and gov specialists
- Strength of balance sheet
- External factors such as tech change or economic growth
Role of board in determining risk appetite
Board has responsibility for setting this.
It may be decided below board level and sent to them for approval, but this is not good practice
How might CRO or risk function help facilitate board setting risk appetite?
Organising a workshop or providing necessary information to make decision
3 helpful good-practice resources on risk appetite
- Chief Risk Officers Forum
- Institute of Risk Management
- COSO though leadership series
COSO risk-appetite thought leadership paper on good practice argues the following re, risk appetite within an ERM framework: (5)
- Risk appetite is an essential part of effective ERM framework
- Risk appetite and strategy-setting decisions should be integrated
- Decision-makers across the org need to understand appetite for risk
- Board should set appetite and monitor risk profile
- Appetite should be regularly reviewed
Why is culture, inc. org’s culture and risk culture so key re. risk?
- Effective risk-taking and risk-man is about more than policies, procedures and processes
- It is an org’s employees have to implement and comply with these policies, procedures and processes
- Behaviour of employees heavily influenced by culture inc. org culture, and their learned behaviours from these
