RISK APPETITE STATEMENT



Similar documents
Understanding and articulating risk appetite

Principles for An. Effective Risk Appetite Framework

Integrate Optimise Sustain

Private Wealth and Investment Management

Risk Management Policy

Risk appetite How hungry are you?

High level principles for risk management

Risk Management Framework

Enterprise Risk Management

FINANCIAL SERVICES GUIDE

AUSTRALASIA CONSTRUCTION INSIGHT

III. CORPORATE GOVERNANCE IN BANKING ORGANIZATIONS

Are you sure that s beef in your burger?

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Responsible Investment Policy

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

A Risk Management Standard

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the

Investment. Phillip Street, Sydney. Capability Statement

Risk Management Programme Guidelines

ISO 31000: ISO/IEC & ISO Guide 73: New Standards for the Management of Risk

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

When being a good lawyer is not enough: Understanding how In-house lawyers really create value

Commonwealth Risk Management Policy

Risk Management Policy Adopted by:

RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY

University of Edinburgh Risk Policy and Risk Appetite

Honan Insurance Group Company Profile

What we are seeing is sustained growth and increasing interest by corporates in adopting and enhancing a captive strategy.

HUDSON SALARY GUIDES 2015

Risk management systems of responsible entities

RISK ENGINEERING CONSIDERATIONS IN THE DESIGN AND CONSTRUCTION OF NEW BUILDING PROJECTS

Building an Effective Business Architecture & Metrics Capability

APPENDIX 50. Enterprise risk management - Risk management overview

An Introduction to Risk Management. For Event Holders in Western Australia. May 2014

Capital Requirements Directive Pillar 3 Disclosure. December 2015

THE NATIONAL STANDARDS FOR VOLUNTEER INVOLVEMENT

THE NATIONAL STANDARDS FOR VOLUNTEER INVOLVEMENT

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management

Sample risk committee charter

A guide for members APES 325 Risk Management for Firms

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

State Super Retirement Fund

QBE PROFESSIONAL LIABILITY. Directors & Officers Liability INSURANCE PROPOSAL PROPOSAL

Supporting information technology risk management

RISK MANAGEMENT AND COMPLIANCE

The Asset Management Landscape

University of New England Compliance Management Framework and Procedures

Supervisory Policy Manual

Placing a Value on Enterprise Risk Management ADVISORY

Investment options and risk

Adequacy of risk management systems of responsible entities

Operational Risk, Scenario Analysis, and External Events: A Regulatory Perspective

EIB Group Risk Management Charter

From ICAAP/ORSA to ERM: Board and Senior Management Oversight. Leon Bloom, Partner, Deloitte & Touche LLP lebloom@deloitte.ca

Quality Assurance. Policy P7

Governance, Risk and Compliance. What is GRC: What is its impact on compliance practices and where is GRC heading?

Capital Adequacy: Advanced Measurement Approaches to Operational Risk

Implementation of Solvency II: The dos and the don ts

Core Infrastructure Risk Management Plan

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Sample Financial institution Risk Management Policy 2011

2016 Asset Management & Maintenance Priorities Survey

Integrate Optimise Sustain

OUR ASSURANCE PLAN 2016/17 MARCH Our Assurance Plan 2016/17

HSBC FINANCE CORPORATION CHARTER OF THE RISK COMMITTEE

This is a free 9 page sample. Access the full version online. AS/NZS ISO 31000:2009 Risk management Principles and guidelines

Clarius Group Risk Management Policy and Framework

Improving Corporate Governance with the Balanced Scorecard

Avondale College Limited Enterprise Risk Management Framework

Prudential Practice Guide

Internal Control Integrated Framework. May 2013

How to achieve excellent enterprise risk management Why risk assessments fail

Client Alert. Global Information Technology & Communications Privacy, Data Protection and Information Management

Business Continuity Management

SAI GLOBAL LIMITED Risk Management Policy

Consumer protections and energy affordability

Managing Risk at Bank of America Corporation. Overview

Relationship Manager (Banking) Assessment Plan

CRO Forum Paper on the Own Risk and Solvency Assessment (ORSA): Leveraging regulatory requirements to generate value. May 2012.

Audit, Risk Management and Compliance Committee Charter

Solvency II Own Risk and Solvency Assessment (ORSA)

Operational Risk Management Table of Contents

Directors and Officers Liability Insurance Guidance and Advice for Risk Managers

PART B INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP)

3 August 2012 Policy updated to reflect name changes and alignment with current Aurora Energy Group Policy standards.

COSO Framework 2013 & SOX Compliance. Roxanne L. Halverson, CISM, CGEIT Atlanta ISACA Geek Week August 19, 2013

Risk Management Plan

Accounting for ethical, social, environmental and economic issues: towards an integrated approach

OWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT

EXECUTIVE CENTRAL. Leader Sales Management

Review findings on the quality of the risk governance of insurers

Risk Management Framework

AMP Capital Investors Limited ABN AFSL AMP Capital Derivatives Risk Statement

Enterprise Risk Management & Information Technology

The Compliance Universe

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Enterprise Risk Management: From Theory to Practice

Risk assessment. made simple. sayer vincent consultants and auditors. Introduction 3. step1 Identifying the risks 4. step2 Assessing the risks 7

Transcription:

RISK APPETITE STATEMENT make or break? PREPARED BY NADINE BOGHDADI, RISK CONSULTANT WILLIS RISK SERVICES MARCH 2015 When an organisation embarks on defining its risk appetite, the process, debate and discussion that ensue can result in the organisation and its key individuals thinking about their business in a way they may have never thought about it before. The process can identify weaknesses and gaps as well as opportunities that the business may not have previously considered or leveraged. A risk appetite statement, put simply, is the amount and type of risk that an organisation is willing to take in order to meet its strategic objectives this includes reference to both the organisation s risk appetite as well as its risk tolerance. This process and the end outcome the defined statement provides the organisation with rigour when setting strategic and budget objectives, selecting new products or services and assessing entry into new markets.

IS IT WORTH THE EFFORT? It is true many organisations have ticked along just fine without a risk appetite statement or without any notion of what constitutes their organisational risk appetite. Leaders have made business decisions based on intuition, gut feel or experience with little concern or any perceived need for determining their organisation s risk appetite. Many organisations employ sound risk management practices however for some, these may not be documented or formalised in any way. For example, risk information across the organisation may not be shared laterally therefore not informing decision making one business unit may be forgoing risk and missing out on value and the other may be taking on too much risk. This doesn t necessarily mean that one is more effective at assessing or managing the risk, it means that there is no oversight of, or consistency in the management of the risk. The organisation may not be operating and managing risk in an optimal manner, similarly the organisation may not be making critical business decisions in a synergistic or consistent manner. Despite all of this, in many cases, organisations have managed their risks to a sufficient level of effectiveness such that their risk management processes and decision making need never be brought to the attention of Group or at the enterprise level. Unfortunately not all organisations have been so lucky. For example, the 2008 collapse of the Royal Bank of Scotland (RBS), following its acquisition of Dutch bank ABN AMRO, shows what can and did go horribly wrong for this global bank when its organisation s risk appetite was not adequately considered or consulted. The bank s risk appetite statement was not applied as a decision making barometer to determine whether or not the acquisition was the right move for RBS. Furthermore, there was inadequate consideration of ABN AMRO s underlying asset quality or if the aggregation of risks was aligned to RBS requirements. In December 2011, the UK regulator, the Financial Services Authority ( FSA ), published a report The Failure of the Royal Bank of Scotland which examined what went wrong and what led to the government bailout of RBS. Notwithstanding that the FSA was found to have played a role in the bank s demise as key prudential regulations being applied by the FSA, and by other regulatory authorities across the world, were dangerously inadequate, RBS was found to be at significant fault. This was due to its deficient management capabilities and style; governance arrangements; checks and balances; mechanisms for oversight and challenge; and in its culture, particularly its attitude to the balance between risk and growth. It is this reference to the balance between risk and growth that is the crux of risk appetite the need for an organisation to determine if its pursuits via a particular acquisition, market, new product or service and their associated risks are likely to have a level of reward that is commensurate to the risk. Also, are the associated risks aligned to the type and level of risk that the organisation has defined as acceptable? The FSA s December 2011 report included a review of RBS internal reports; one of which was the annual Board, Remuneration Committee and Nominations Committee Performance Evaluation Report. The 2006 report highlights that RBS Directors felt there was insufficient input to and review of risk appetite at Board level, that the Board needed to articulate its risk appetite and that a third of them did not appear to be satisfied with the Board s role in defining and developing strategy. RBS had a very aggressive growth strategy that had not been developed or tempered with adequate consultation of its risk appetite or sufficient counsel from the Board. This highlights that as an organisation s strategy changes and evolves; its risk appetite statement should be adapted in light of any new internal information as well as external influences and environmental factors. Strategic objectives should not be developed, agreed and implemented in isolation or without consultation and consideration of the risk appetite statement. PAGE 1

WHAT IS THE DIFFERENCE BETWEEN RISK APPETITE AND RISK TOLERANCE aren t they essentially the same concept? No. A company with no tolerance for risk, put simply, has no appetite for business either. Yes that old adage of risk for reward still rings true. Risk appetite is focussed on the pursuit of risk and the parameters that the organisation must employ in deciding whether or not to take on the risk. It defines what types of risks an organisation will pursue; which types of markets, products, services, clientele and customers it will target. Risk tolerance defines or quantifies the maximum amount of risk that the organisation is technically able to assume. For example, this may be the maximum level of risk the organisation can absorb or manage before breaching factors such as its capital base, liquidity levels, borrowing capacity or covenants, reputational and regulatory requirements, operational constraints and obligations to shareholders, customers and other stakeholders. An example of a manufacturer s customer or supplier concentration risk tolerance is: For product A / market segment B / location C [risk tolerance will specify], no single customer / supplier / counterparty exposure will exceed X%. This caps the organisation s exposure to a particular customer, supplier or location to an acceptable level. A risk tolerance example for an organisation with an aggressive growth strategy is: We will continue to expand our global footprint with stores and distribution centres in locations where the exposure to [a particular weather peril e.g. flood/ earthquake/bushfire etc.] will not result in business performance disruption of greater than X days over a 12 month period. In this case, the organisation is incorporating statistics into its risk tolerance to inform its location selection where the probability of an adverse weather event occurring and impacting its business operation must be within a specified tolerance level. The extent to which an organisation chooses to express its risk tolerance at a business unit, product, function or locational level will depend on the organisation s desired level of sophistication, strategic objectives, complexity and its risk category definitions. Risk categories are defined in an organisation s risk evaluation model which categorises risks in accordance with a risk likelihood and consequence matrix. PAGE 2

WHY DOESN T A SET AND FORGET APPROACH WORK? As organisations grow, expand and evolve, so too do the risks organisations face. The type, prominence and appetite for risks change at different points in the life cycle of a company as well as during the lifecycle of its products or services. Organisations that don t have a risk appetite statement simply don t know what they don t know. This is in relation to how much risk is being taken on, what value the organisation is deriving from taking on that risk and whether or not the controls and processes in place are sufficient to reduce that risk to a residual level that the organisation is comfortable retaining. Those organisations that do have a risk appetite statement risk management practitioners applaud you. Agreeing and documenting this at the enterprise level is one thing, however filtering it down and implementing at the business unit level is another. Embedding a risk management culture in an organisation is a challenging feat however is critical in today s ever evolving risk landscape. It is therefore important that an organisation s risk appetite statement is treated as a live and evolving document where its intent is challenged and discussed on a frequent basis....risk priorities appear to shift significantly, in line with the emphasis that business leaders place on a particular risk at a certain point in time. Willis in Strategic Risk (2014). HOW DO RISK APPETITE AND RISK TOLERANCE FIT INTO AN ERM FRAMEWORK? A risk appetite statement is just the beginning. An organisation that is serious about becoming risk management mature needs to embed an Enterprise Risk Management ( ERM ) framework, of which the risk appetite statement is a fundamental component; made up of its critical constituents; risk appetite and risk tolerance. The following diagram, incorporating concepts from the International Risk Management Standard (ISO/ AS/NZS 31000 Recognise and Manage Risk), shows the interrelationship of the risk appetite statement and its direct influence on business strategy, the risk management framework and underlying processes. PAGE 3

RISK IDENTIFICATION COMMUNICATION & CONSULTATION RISK APPETITE STATEMENT RISK ASSESSMENT STRATEGY & BUSINESS VALUE DRIVERS MONITORING & REVIEW RISK MANAGEMENT FRAMEWORK RISK MANAGEMENT POLICY CONTROL ASSESSMENT RISK MITIGATION, TREATMENT & TRANSFER PAGE 4

THIS SOUNDS LIKE A GOOD IDEA but what are the benefits? Developing and embedding a risk appetite statement has numerous benefits: The clear articulation of enterprise risk appetite and risk tolerance directly guides and informs strategic planning and budgeting; facilitating consistency in these processes. Consistent measurement and monitoring of risk facilitates an enhanced understanding of the risks and can optimise spend on more value generating risks, within the organisational risk tolerance. The risk appetite statement translates the Board s enterprise level strategy into business unit strategy and objectives that are relevant and practical for teams and functional business areas. Encourages a risk management, not risk aversion, culture so that risk management is not purely the Risk Function s responsibility, but one that is shared and for which all employees are held accountable. Informs the determination of and potential for reduction of an organisation s total cost of risk over time this is the total cost of managing risk; from active and passive asset protection and loss prevention controls, to insurance and risk management personnel. Informs performance management and incentive measurement; inhibiting personnel from making decisions that are not aligned to the organisational risk appetite. Can enhance reputation demonstrates to shareholders, stakeholders and the market in general, that the organisation has good corporate governance, a proactive risk management approach and that its key business drivers have been determined with risk appetite in mind. Demonstrates to customers, employees, stakeholders and shareholders that the organisation is committed to its values, ethics and corporate sustainability and citizenship. The tone towards risk management has to be set from the top and this is ultimately driven by incentivisation. There should be a clear demonstration to new and existing employees of what the company is doing to manage risk. Paul Maynard, Chief Placement Officer, Willis UK at AIRMIC Conference (2013) in Commercial Risk Europe. HOW CAN WILLIS ASSIST? Willis brokers and risk advisors work closely with organisations across the core phases of risk management; assessment, treatment and measurement and monitoring to ensure that their Insurance and Risk Management Programs are operating effectively and cohesively with their respective ERM frameworks. Good corporate governance requires a corporate risk audit trail where risk retention, risk transfer and insurance decisions can be explained and justified. Willis Risk Services, the risk consulting arm of Willis has a range of services that can assist you to improve the cohesion and alignment of your organisation s insurance management and risk management to its overall ERM. For further information on these services please refer to your local Willis office (contact details overleaf ). PAGE 5

REFERENCE LIST Commercial Risk Europe (2013, July 23). Function of ERM in Organisations questioned by UK Risk Managers. Commercial Risk Europe. Retrieved from http://www.commercialriskeurope. com/cre/2531/15/function-of-erm-inorganisations-questioned-by-uk-riskmanagers/ Financial Services Authority (FSA) (2001) The Failure of the Royal Bank of Scotland Board Report. United Kingdom: Financial Services Authority. Standards Australia & Standards New Zealand. (2010) AS/NZS ISO 31000:2009 Risk Management - Principles and Guidelines. Australia & New Zealand: Joint Standards Australia/Standards New Zealand Committee OB-007 Risk Management. Strategic Risk (2014, June 16). AIRMIC 2014: Is risk changing or is it all in our heads?. Strategic Risk Global. Retrieved from http://www.strategic-risk-global. com/airmic-2014-is-risk-changing-or-isit-all-in-our-heads/1408749.article PAGE 6

CONTACT WILLIS AUSTRALIA www.willis.com.au ABN 90 000 321 237 AFSL 240600 Adelaide Hobart Perth Level 1, 190 Flinders Street Ground Floor, 85 Macquarie Street Level 8, 191 St Georges Terrace SA, 5000 TAS, 7000 WA, 6000 t: +61 8 8223 1200 t: +61 3 6235 8500 t: +61 8 9481 4455 Brisbane Melbourne Sydney Level 1, 10 Eagle Street Level 4, 555 Bourke Street Level 16, 123 Pitt Street QLD, 4000 VIC, 3000 NSW, 2000 t: +61 7 3167 8500 t: +61 3 8681 9800 t: +61 2 9285 4000 CONTACT WILLIS NEW ZEALAND www.willisgroup.co.nz Company No. 111584 FSP No. FSP37782 Auckland Wellington Christchurch Level 8, 21 Queen Street Level 8, 139 The Terrace Level 1, Building G, 2 Hazeldean Road Auckland, 1140 Wellington, 6011 Christchurch, 8024 t: +64 9 358 3319 t: +64 4 472 2677 t: +643 335 0412 This publication offers a general overview of its subject matter. It does not necessarily address every aspect of its subject. It is not intended to be, and should not be, used to replace specific advice relating to individual situations and we do not offer, and this should not be seen as, legal, accounting or tax advice. If you intend to take any action or make any decision on the basis of the content of this publication you should first seek specific advice from an appropriate professional. Some of the information in this publication may be compiled from third party sources we consider to be reliable, however we do not guarantee and are not responsible for the accuracy of such. The information given in this publication is believed to be accurate at the date of publication shown at the top of this document. This information may have subsequently changed or have been superseded and should not be relied upon to be accurate or suitable after this date. Copyright Willis Australia Limited 2014. W0477AU (2015)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information