Week 3 - ERM Process

Question 1

What is risk culture

Answer 1

“Risk culture is a term describing the values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organization. It is the set of common assumptions or beliefs in a company that allow you to “predict” how people will behave and what they will achieve”

Question 2

What is effective risk culture

Answer 2

Effective culture promotes appropriate risk-taking and transparency with a clear, consistent, ethical tone at the top, which filters through to all employees

Question 3

How do you manage risk culture

Answer 3

1) culture change is a long process
2) there should be a clear and compelling vision and strategy that people can understand and which they can buy into
3) the desired culture should be articulated and modeled from the highest level in the organization

Question 4

Risk culture factors (hard vs soft)

Answer 4

Corporations cannot optimize risk management simply by establishing oversight committees, audit processes, and risk reports. These processes and systems comprise the “hard” side of risk management.

The “soft” side includes all the factors that influence individual decision-making and behavior. In a sound risk culture, everyone not only knows and understands the policies, but also shares the values behind them and adjusts their behavior accordingly

Question 5

Steps in building culture

Answer 5

1) Hire the right people
2) Set the tone from the top
3) Make good risk culture easy and accessible
4) Use an appropriate yardstick
5) Understand the information
6) Communicate the problem
7) Act on it
8) Assess the risk culture regularly

Question 6

Impact of Culture/Conduct

Answer 6

• Reputational impact and monetary fines
• Public perception can be significant even for what management
  perceives as small
• Government policies/guidelines – company can mitigate by having
  effective compliance and ethics program
• Compensation structure – can easily derail culture by incentivizing
  wrong/bad behavior (ie. large commission payouts to those who take
  undue risks but make outsized profits)

Question 7

How to recognize a culture issue

Answer 7

Difficult to identify culture problem. Signs can be:
– Board and senior management may say right things but “middle” management might not be
following through
– Trends and patterns in whistleblower complaints not always analyzed and taken seriously
– Incentive comp not always issue – sometimes focus is on “pleasing your manager”
– It is how performance goals are achieved

Question 8

Risk Appetite Statement (RAS)

Answer 8

The Risk Appetite Statement defines the
amount of risk that the firm is willing to
accept
➢ It is aligned with the strategic objectives of
the enterprise
➢ The Risk Appetite Statement defines key
risk requirements within two broad
categories: qualitative and quantitative
➢ It has been approved by management and
the Board or a committee of the Board and
is used by the businesses to guide their
risk-taking activities
➢ It considers the efficient, safe, and sound
deployment of capital

Question 9

Key questions to determine risk appetite

Answer 9

Key questions:
* What risks will the organization not accept?
(e.g. environmental or quality compromises)
* What risks will the organization take on new initiatives?
(e.g. new product lines)
* What risks will the organization accept for competing
objectives?
(e.g. gross profit vs. market share?)

Question 10

Risk appetite vs risk tolerance

Answer 10

Risk appetite: the company doesnt accept risks that could result in a significant loss of its revenues base

Risk tolerance: the company doesnt accept risks that would cause revenue from its top 10 customers to decline by more than 1%

Question 11

Effective risk appetite framework

Answer 11

RAF:
- considers all relevant risks
- contains quantitative and qualitative statements
- incorporates stress conditions
- links risk appetite to strategic and capital planning
- institutionalized throughout the firm
- business line limit frameworks aligned with RAF
- effective monitoring of RAF and escalation of breaks

Question 12

Breakdown the levels of risk tolerance

Answer 12

1) Risk Capacity - the maximum risk that the firm can bear and remain viable
2) Risk Appetite - the maximum risk the firm is willing to accept within its capacity
3) Risk Limits - the maximum amount the firm wants to accept
4) Risk Profile - the actual risk the firm is taking

Risk tolerance - the acceptable level of variation relative to achievement of a specific objective

Question 13

Risk Capacity

Answer 13

Risk Capacity - Represents a company’s overall ability to absorb potential losses. Capacity represents the absolute maximum loss a company is able (not simply willing) to take on.

Question 14

Risk Appetite

Answer 14

Risk Appetite - Represents the types and aggregate levels of risk an organization is willing to take on to actively pursue its strategic objectives.

It should fall within the broader umbrella of risk capacity and will align closely with the organization’s current risk profile.

A high risk appetite will consume a greater portion of risk capacity,
while a low risk appetite will consume a smaller portion, thus
providing a greater buffer zone and reducing the vulnerability of the
organization’s capital and resources.

Scale goes: Averse, Minimalist, Cautious, Flexible, Open

Question 15

Risk Limits

Answer 15

Risk Limits - Risk limits are the parameters within which a company (or business unit or function) must operate in order to achieve its risk appetite.

Whereas risk appetite is a strategic determination based on long-
term objectives, risk limits can be seen as a tactical readiness to bear
a specific risk within established parameters.

Enterprise-wide strategic risk appetite is thus translated into specific
tactical risk tolerances that constrain risk-acceptance activities at the
business level.

Question 16

Risk Profile

Answer 16

Risk Profile - must align with the business model and strategy of the organization

Ex., Firm A may choose to be a low-cost provider - its risk profile is driven by low profit margin and significant operational risks (e.g., cost control, supply-chain management, and scale economics).

Question 17

Risk Appetite Scale

Answer 17

Averse - avoidance of risk is the core objective
Minimalist - extremely reluctant to take risks
Cautious - will take very limited amount of risk
Flexible - will take strongly justified risks
Open - will take justified risks

Question 18

What is risk

Answer 18

Risk - the possibility that events will occur and affect the achievement of strategy and business objectives

Question 19

What is inherent risk

Answer 19

Inherent risk - risks that are part of your ecosystem and that would be significant if you don’t do something about then (grocery chain vs college)

Question 20

What are types of risk mitigants

Answer 20

Types of risk mitigants: avoid, insure, accept and control

Question 21

What is residual risk

Answer 21

Residual risk - risk levels after you have mitigated the inherent risks

Question 22

What is the risk/reward tradeoff

Answer 22

All mitigations carry a cost AND if you mitigate all risk away there is often no reward left over

Question 23

Components of Enterprise Value Dynamics (EVD)

Answer 23

Enterprise Value Dynamics (EVD)
- Physical Assets (land, buildings, equipment, inventory)
- Financial Assets (cash, receivables, investments, equity)
- Customer Assets (customer, channels, affiliates)
- Employee/Supplier Assets (employees, suppliers, partners)
- Organizational Assets (leadership, knowledge, values, reputation)

Question 24

Risk Metrics: Level 1 - Rare

Answer 24

May occur only in exception circumstances
Less than once every 10 years

Question 25

Risk Metrics: Level 2 - Unlikely

Answer 25

Could occur at some time
At least once in 5 years

Question 26

Risk Metrics: Level 3 - Possible

Answer 26

Might occur at some time
At least once per year

Question 27

Risk Metrics: Level 4 - Likely

Answer 27

Will probably occur in most circumstances
At least once per quarter

Question 28

Risk Metrics: Level 5 - Almost certain

Answer 28

Expected to occur in most circumstances
At least once per month

Question 29

What is the appropriate risk response

Answer 29

Risk response:
- Avoid = eliminate (get out of situation)
- Transfer/Share with a third party (eg., insurance, warranties, contractual transfers, financial instruments, performance bonds)
- Modify = reduce vulnerability and post loss measures to mitigate impact
- Accept = monitor/response plans
- Reduce = build controls (changes likelihood or consequences)

Question 30

what do risk and compliance functions do

Answer 30

Risk Function: the risk function establishes processes and procedures to ensure that the organization operates within its target risk appetite and recommends action when risk falls outside the tolerance levels established by the board and management.

Compliance Function: The compliance function has a narrower focus, monitoring operations to ensure that the firm is adhering to statutory and regulatory requirements.