Board oversight of risk: Defining risk appetite in plain English



Similar documents
How to achieve excellent enterprise risk management Why risk assessments fail

How ERM programs evolve

Integrated Risk Management:

Enterprise Risk Management

Beyond risk identification Evolving provider ERM programs

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

Principles for An. Effective Risk Appetite Framework

Enterprise risk management: A pragmatic, four-phase implementation plan

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012

Matthew E. Breecher Breecher & Company PC November 12, 2008

PwC s 2012 U.S. Insurance ERM & ORSA Readiness Survey

Placing a Value on Enterprise Risk Management ADVISORY

Risk appetite as a dynamic management tool

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

ENTERPRISE RISK MANAGEMENT POLICY

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Confident in our Future, Risk Management Policy Statement and Strategy

Policy : Enterprise Risk Management Policy

Commodity Price Risk Management (CPRM) - Trends and Challenges for Corporates

WFP ENTERPRISE RISK MANAGEMENT POLICY

Corporate Portfolio Management

Understanding and articulating risk appetite

Risk Management. Did you know? What is Risk Management?

and Risk Tolerance in an Effective ERM Program

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

From ICAAP/ORSA to ERM: Board and Senior Management Oversight. Leon Bloom, Partner, Deloitte & Touche LLP lebloom@deloitte.ca

Enterprise Risk Management in Colleges and Universities

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

Clarius Group Risk Management Policy and Framework

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202)

Sound Practices for the Management of Operational Risk

Guidance on Risk Management, Internal Control and Related Financial and Business Reporting

Enterprise Risk Management: COSO, New COSO, ISO Review of ERM

Risk appetite in the financial services industry A requisite for risk management today

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Framing the future of corporate governance Deloitte Governance Framework

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

Fraud Risk Management

ENTERPRISE RISK MANAGEMENT POLICY

Model Risk, A company perspective Peter K. Reilly, FSA Valuation Actuary & Head of Actuarial Strategic Initiatives Aetna, Inc

The Changing Landscape for Trade Compliance Enterprise Risk (and Opportunity) Management

Operational Risk Management Program Version 1.0 October 2013

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

Risk Profile, Appetite, and Tolerance: Fundamental Concepts in Risk Management and Reinsurance Effectiveness

International Diploma in Risk Management Syllabus

How to Develop Successful Enterprise Risk and Vendor Management Programs

Deriving Value from ORSA. Board Perspective

Department of Veterans Affairs VA Directive VA Enterprise Risk Management (ERM)

Avondale College Limited Enterprise Risk Management Framework

Internal Control Integrated Framework. May 2013

Scenario Analysis Principles and Practices in the Insurance Industry

The Role of the Board in Enterprise Risk Management

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

FINANCIAL SERVICES FLASH REPORT

SOL PLAATJE MUNICIPALITY ENTERPRISE RISK MANAGEMENT FRAMEWORK AND POLICY

RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY

Risk Assessment & Enterprise Risk Management

Capital Requirements Directive Pillar 3 Disclosure. December 2015

P3M3 Portfolio Management Self-Assessment

Risk Management Policy Adopted by:

Getting things done How governments can deliver public infrastructure projects on time and within budget

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting

Zurich s approach to Enterprise Risk Management. John Scott Chief Risk Officer Zurich Global Corporate

A Primer for Investment Trustees (a summary)

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

Accenture Risk Management. Industry Report. Life Sciences

ASAE s Job Task Analysis Strategic Level Competencies

Develop Project Charter. Develop Project Management Plan

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

University of Edinburgh Risk Policy and Risk Appetite

PMI Risk Management Professional (PMI-RMP) Exam Content Outline

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

Proposed Consequential and Conforming Amendments to Other ISAs

IFAD Policy on Enterprise Risk Management

Supervisory Guidance on Operational Risk Advanced Measurement Approaches for Regulatory Capital

Consumer Goods and Services

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

Transforming risk management into a competitive advantage kpmg.com

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

How To Transform It Risk Management

Risk, Risk Assessments and Risk Management. Christopher Bowler CPA, CISA August 10, 2015

New supervisory guidance on model Overview, analysis, and next steps

Procurement Programmes & Projects P3M3 v2.1 Self-Assessment Instructions and Questionnaire. P3M3 Project Management Self-Assessment

Policy and Procedure Statement

A Risk-Based Audit Strategy November 2006 Internal Audit Department

Audit of the Policy on Internal Control Implementation

RISK APPETITE IN THE WORLD FOOD PROGRAMME

Addressing Disclosures in the Audit of Financial Statements

Developing an effective governance operating model A guide for financial services boards and management teams

Operational Risk Management Excellence Get to Strong Survey

OPTIMUS SBR. Optimizing Results with Business Intelligence Governance CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE.

COSO Internal Control Integrated Framework (2013)

Accreditation Application Forms

Successfully identifying, assessing and managing risks for stakeholders

Transcription:

www.pwc.com/us/centerforboardgovernance Board oversight of risk: Defining risk appetite in plain English May 2014

Defining risk appetite in plain English Risk oversight continues to be top-of-mind for directors. One area that s particularly important for boards to better understand is the company s risk appetite. Risk appetite should be at the center of the company s overall strategy and risk management programs. It is not a new concept but one that can be confusing. Often there is incorrect use of the terminology and uncertainty as where to begin discussions on the topic. This confusion can lead to an informal approach for defining a company s risk appetite. This in turn can result in the company s risk appetite remaining static instead of evolving with the strategic and business changes that occur. Almost all directors (95%) believe their board has at least a moderate understanding of their company s risk appetite. 1 But for many this understanding may be implicit if the company s approach to defining its risk appetite is informal. Many view risk appetite as a topic to be addressed by simply developing a risk appetite statement. And many companies never develop a practical risk appetite statement because they believe the cost and difficulty of developing it will outweigh the tangible benefits. However, risk appetite should be much more than a policy statement. It should be derived from a robust ongoing process that can help a company understand and manage its exposures and make appropriate risk-based strategic decisions. A risk appetite process can provide greater clarity of the risks that the company wants to assume and a better understanding of the relative tradeoffs between risks and returns. The risk appetite discussions and process can help drive appropriate decisions about capital allocation, investments, and acquisitions. Today, far too many strategic decisions are made with an incomplete understanding of risks and the company s capacity to manage those risks. Risk appetite discussions can help management create a consistent message for various stakeholders and help boards better understand management s attitudes toward risks. Regulators and investors are currently asking for more transparency in this area. Companies in some industries, such as banking and financial services, are required to have a risk appetite statement. Analysts and rating agencies are also inquiring about how strategies align with risk appetite. A risk appetite process can provide greater clarity of the risks that the company wants to assume and a better understanding of the relative tradeoffs between risks and returns. 1 PwC, Annual Corporate Directors Survey, 2013. Defining risk appetite 2

So what is risk appetite? Risk appetite is the amount of risk an organization is willing to accept in pursuit of strategic objectives. Thus, it should define the level of risk at which appropriate actions are needed to reduce risk to an acceptable level. When properly defined and communicated it drives behavior by setting the boundaries for running the business and capitalizing on opportunities. A discussion of risk appetite should address the following questions: Corporate values - What risks will we not accept? Strategy - What are the risks we need to take? Stakeholders - What risks are they willing to bear, and to what level? Capacity - What resources are required to manage those risks? Risk appetite is a matter of judgment based on each company s specific circumstances and objectives. There is no one-size-fits-all solution. The risk appetite process Management is responsible for the development and articulation of the company s risk appetite. It starts with an understanding of the company s strategic goals and objectives, stakeholder perspectives, risk culture, and risk experience. With this as the foundation, management continues the risk appetite process by developing the company s risk profile, risk capacity, qualitative risk assessments, and quantitative risk analysis and limits. Risk profile: Management s assessment of the company s top risks and the internal controls and capabilities to manage those risks. The risk profile can address strategic, market, financial, operational, organizational, and legal and regulatory risks, among others. Risk capacity: The actual amount of risk the company could bear. It requires an assessment of the amount of risk a company can accept based on financial, operational, and reputational impacts. Qualitative risk assessment: Management s categorization and prioritization of the company s top individual risks relative to one another. The categorization and prioritization takes into account the risk, reward, and risk mitigation activities. Defining risk appetite 3

Quantitative risk analysis: The use of rating scales to bring a greater degree of precision and measurability to risks. Rating scales can include simple estimates, benchmarking, and sophisticated probability models. While not all risks are quantifiable, this analysis can be used to set limits for strategic decision making regarding certain business activities. For example, a company may set the following risk limits: Lines of credit: A $500 million credit line with an individual bank in order to avoid an over-concentration of credit risk. Exchange rate volatility: Enter an emerging market with an exchange rate volatility of less than 10% for a three year period. Supply chain partners: The company will only operate with supply chain partners that have a specific credit rating. Risk appetite can now be defined using the comprehensive results of the processes discussed above in conjunction with an evaluation of the interrelationships of key risks to determine how much risk is acceptable in pursuing strategic objectives. It is a complex task requiring significant judgment to balance risk and reward, taking into consideration the perspectives of various stakeholders. Risk appetite should be explicit enough to drive company behavior and strategic decision-making, and pragmatic enough to facilitate ownership and usage across the company. It is generally developed at a high-level and followed by more definition for specific strategic objectives or business activities. In developing risk appetite, management should also consider the company s risk tolerance levels, or the acceptable levels of variability to achieving strategic objectives. Tolerance levels are generally defined for specific risks and can vary based on the importance of the strategic objectives to the company and the relative cost/benefit of achieving the objective. Risk definitions Risk appetite The amount of risk an organization is willing to accept in pursuit of strategic objectives. Risk capacity The actual amount of risk the company could bear based on its financial and operational capabilities. Risk tolerance The acceptable levels of variability to achieving strategic objectives. A written risk appetite statement can help formalize and clarify the company s overall approach to risk. It can help communicate and create transparency with employees and external stakeholders. A training program to help employees understand the company s risk appetite and its impact on day-to-day activities, and to promote desired behaviors throughout the organization is important. It is also beneficial to embed risk appetite into business activity planning and relevant company policies and procedures. Defining risk appetite 4

An excerpt of a risk appetite statement from a health care company: The company has specific objectives related to (1) quality of customer care, (2) attracting and retaining high-quality physicians and health researchers, and (3) building sustainable levels of profit to provide access to needed capital and to fund existing activities. The statement starts as follows: The Organization operates within a low overall risk range. The Organization s lowest risk appetite relates to safety and compliance objectives, including employee health and safety, with a marginally higher risk appetite towards its strategic, reporting, and operations objectives. This means that reducing to reasonably practicable levels the risks originating from various medical systems, products, equipment, and our work environment, and meeting our legal obligations will take priority over other business objectives. Source: COSO s Enterprise Risk Management-Understanding and Communicating Risk Appetite, January 2012. The board s role in overseeing risk appetite The board and its committees have responsibility for risk oversight, and that includes risk appetite. But how does a board do this? It should have regular substantive discussions about the company s risk appetite and strategic objectives. It should monitor the implementation of the company s risk appetite process. The board should also be informed when tolerance limits are either exceeded (meaning too much risk is being taken) or not obtained (meaning too little risk may be taken) and understand if either of these scenarios may signify the company needs to adjust its activities. A company s strategic objectives and risk profile may change with new strategies, and with changes in the business environment, economic conditions, competition, and other factors. Key stakeholder opinions can influence this, too. Directors will want to take these dynamics into account and make sure they stay current on their understanding of risk appetite. A company that doesn t meet its risk tolerance level for a particular business activity may be taking too little risk and reducing its overall opportunity and potential reward. Defining risk appetite 5

Questions boards should consider asking management about risk appetite: Does the company have a continuous risk assessment process in place that identifies, prioritizes, and analyzes the key risks? Are the key risks aligned with the company s strategic goals and objectives? Does the company have an ongoing process to update its risk profile to respond to major changes in strategic direction, business activities, and the business environment? Does the company have the capabilities required to assess and manage the risks it is taking on today and the risks that it will be taking on as a result of its strategic imperatives? Does the company have a structured process in place to continuously evaluate and adjust its risk appetite and tolerances, both positive and negative, as changes in strategic goals and objectives occur? Are changes in the corporate risk appetite and tolerances communicated effectively to internal and external stakeholders and integrated into the company s risk based strategic initiatives? Defining risk appetite 6

To have a deeper discussion about how this topic might impact your business, please contact your PwC engagement partner or one of the following individuals: Mary Ann Cloyd Leader, Center for Board Governance (973) 236 5332 mary.ann.cloyd@us.pwc.com Ron Kinghorn Partner, Risk Consulting (617) 530 5938 ron.kinghorn@us.pwc.com Barbara Berlin Director, Center for Board Governance (973) 236 5349 barbara.berlin@us.pwc.com Michael Chagares Director, US Performance Governance, Risk & Compliance (703) 627-2444 michael.j.chagares@us.pwc.com Ken Hooper Director, US Performance Governance, Risk & Compliance (919) 606-7740 ken.hooper@us.pwc.com 2014 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information