Auditing Risk Appetite
Regulators around the world are calling for organizations to establish a risk appetite framework. This is primarily for financial services organizations and especially their financial-related risks. But some are extending the idea to organizations in other sectors and for non-financial risks.
The regulators have not heard the risk experts who disparage the concept of risk appetite. While I agree that it is a flawed concept, we have to recognize that it is a required practice for many and should find a way to address related regulations.
What is risk appetite?
In 2013, The Financial Stability Board (FSB) published “Principles for an Effective Risk Appetite Framework” (intended to apply only to financial services organizations) in which it included a number of definitions:
Risk Appetite: The aggregate level and types of risk a firm is willing to assume within its risk capacity to achieve its strategic objectives and business plan.
Risk Appetite Statement: The articulation in written form of the aggregate level and types of risk that a firm is willing to accept in order to achieve its business objectives. It includes qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also address more difficult to quantify risks such as reputation and money laundering and financing of terrorism risks, as well as business ethics and conduct.
Risk Appetite Framework (RAF): The overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the firm, as well as to the firm’s reputation vis-à-vis policyholders, depositors, investors and customers.
The FSB document includes some useful language (emphasis added):
“An effective RAF should provide a common framework and comparable measures across the firm for senior management and the board to communicate, understand, and assess the level of risk that they are willing to accept. It explicitly defines the boundaries within which management is expected to operate when pursuing the firm’s business strategy. Firms that implement a RAF most effectively are those that incorporate the framework into the decision making process and into the firm-wide risk management framework, and communicate and champion the framework throughout the organisation, starting from the top. However, it is important to check that the ‘top down’ risk appetite is consistent with the ‘bottom up’ perspective. The assessment of a firm’s consolidated risk profile against its risk appetite should be an ongoing and iterative process. Implementing an effective RAF requires an appropriate combination of policies, processes, controls, systems and procedures to accomplish a set of objectives. The RAF should enable risk capacity, risk appetite, risk limits, and risk profile to be considered at the legal entity level as well as within the group context. As such, an effective and efficient RAF should be closely linked to the development of information technology (IT) and management information systems (MIS) in financial institutions.”
The FSB recognized that while it is useful for management to propose and the board to approve “aggregate level[s] and types of risk a firm is willing to assume”, real value is not obtained unless every risk-taker (which amount to every decision-maker) understands how these limits apply to their actions and responsibilities – and acts accordingly. The FSB guidance includes these among the requirements for “business line leaders and legal entity-level management” (emphasis added):
“a) ensure alignment between the approved risk appetite and planning, compensation, and decision-making processes of the business unit and legal entity;
“b) cascade the risk appetite statement and risk limits into their activities so as to embed prudent risk taking into the firm’s risk culture and day to day management of risk;
“c) establish and actively monitor adherence to approved risk limits;”
The most significant problem with this notion is that it is impossible to define every risk that decision-makers might take in the course of running the business, especially when risks are changing constantly and what the business should accept also changes as business conditions change.
Fortunately, the FSB looks to internal audit to ensure that the RAF meets the needs of the organization and is not a static document that is meaningful only to the board.
The FSB publication includes requirements for internal audit to assess the RAF. They say that “internal audit (or other independent assessor) should (emphasis added):
“a) routinely include assessments of the RAF on a firm-wide basis as well as on an individual business line and legal entity basis;
“b) identify whether breaches in risk limits are being appropriately identified, escalated and reported, and report on the implementation of the RAF to the board and senior management as appropriate;
“c) independently assess at least annually the design and effectiveness of the RAF and its alignment with supervisory expectations;
“d) assess the effectiveness of the implementation of the RAF, including linkage to strategic and business planning, compensation, and decision-making processes;
“e) validate the design and effectiveness of risk measurement techniques and MIS used to monitor the firm’s risk profile in relation to its risk appetite;
“f) report any deficiencies in the RAF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner; and
“g) evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF. “
This is useful for anybody who wants to audit risk management, even if for a non-financial institution.
I translate all of the above to answering these questions:
- Do those responsible for taking risks, whether in the executive suite or in the trenches of the organization, have the guidance they need to ensure that risks they are creating and/or managing are maintained at levels acceptable to the board? This should include both the mitigation of excessive adverse risk and addressing situations where insufficient risk is taken (e.g., where a manager is overly cautious to the detriment of the organization).
- Is that guidance updated and communicated as business conditions (internal and external) change?
- When management proposes and the board approves strategies, plans, objectives, and similar, is appropriate consideration given to risks to those strategies and objectives?
- Is necessary and appropriate risk information (including the results of risk monitoring) provided to the board, executives, and other managers so they can effectively direct and manage the organization?
- Are exceptions appropriate reported and addressed?
- Is performance management (especially reporting) adequately integrated with risk management, and are those responsible for driving performance against objectives also held responsible for addressing risks to those objectives?
That ‘guidance’ could be in the form of a risk appetite statement (or similar) as envisaged by the FSB and described in COSO’s ERM – Integrated Framework, or in the form of risk criteria as required by the global risk management standard, ISO 31000:2009.
What I especially like about the FSB list of questions (and reflected in mine) is that it recognizes that mere compliance with an RAF is an insufficient audit approach; it is critical to assess whether it is current, timely, communicated broadly, and meets the needs of the business.
I welcome your comments.