Auditing Risk Appetite
Regulators around the world are calling for organizations to establish a risk appetite framework. This is primarily for financial services organizations and especially their financial-related risks. But some are extending the idea to organizations in other sectors and for non-financial risks.
The regulators have not heard the risk experts who disparage the concept of risk appetite. While I agree that it is a flawed concept, we have to recognize that it is a required practice for many and should find a way to address related regulations.
What is risk appetite?
In 2013, The Financial Stability Board (FSB) published “Principles for an Effective Risk Appetite Framework” (intended to apply only to financial services organizations) in which it included a number of definitions:
Risk Appetite: The aggregate level and types of risk a firm is willing to assume within its risk capacity to achieve its strategic objectives and business plan.
Risk Appetite Statement: The articulation in written form of the aggregate level and types of risk that a firm is willing to accept in order to achieve its business objectives. It includes qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also address more difficult to quantify risks such as reputation and money laundering and financing of terrorism risks, as well as business ethics and conduct.
Risk Appetite Framework (RAF): The overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the firm, as well as to the firm’s reputation vis-à-vis policyholders, depositors, investors and customers.
The FSB document includes some useful language (emphasis added):
“An effective RAF should provide a common framework and comparable measures across the firm for senior management and the board to communicate, understand, and assess the level of risk that they are willing to accept. It explicitly defines the boundaries within which management is expected to operate when pursuing the firm’s business strategy. Firms that implement a RAF most effectively are those that incorporate the framework into the decision making process and into the firm-wide risk management framework, and communicate and champion the framework throughout the organisation, starting from the top. However, it is important to check that the ‘top down’ risk appetite is consistent with the ‘bottom up’ perspective. The assessment of a firm’s consolidated risk profile against its risk appetite should be an ongoing and iterative process. Implementing an effective RAF requires an appropriate combination of policies, processes, controls, systems and procedures to accomplish a set of objectives. The RAF should enable risk capacity, risk appetite, risk limits, and risk profile to be considered at the legal entity level as well as within the group context. As such, an effective and efficient RAF should be closely linked to the development of information technology (IT) and management information systems (MIS) in financial institutions.”
The FSB recognized that while it is useful for management to propose and the board to approve “aggregate level[s] and types of risk a firm is willing to assume”, real value is not obtained unless every risk-taker (which amount to every decision-maker) understands how these limits apply to their actions and responsibilities – and acts accordingly. The FSB guidance includes these among the requirements for “business line leaders and legal entity-level management” (emphasis added):
“a) ensure alignment between the approved risk appetite and planning, compensation, and decision-making processes of the business unit and legal entity;
“b) cascade the risk appetite statement and risk limits into their activities so as to embed prudent risk taking into the firm’s risk culture and day to day management of risk;
“c) establish and actively monitor adherence to approved risk limits;”
The most significant problem with this notion is that it is impossible to define every risk that decision-makers might take in the course of running the business, especially when risks are changing constantly and what the business should accept also changes as business conditions change.
Fortunately, the FSB looks to internal audit to ensure that the RAF meets the needs of the organization and is not a static document that is meaningful only to the board.
The FSB publication includes requirements for internal audit to assess the RAF. They say that “internal audit (or other independent assessor) should (emphasis added):
“a) routinely include assessments of the RAF on a firm-wide basis as well as on an individual business line and legal entity basis;
“b) identify whether breaches in risk limits are being appropriately identified, escalated and reported, and report on the implementation of the RAF to the board and senior management as appropriate;
“c) independently assess at least annually the design and effectiveness of the RAF and its alignment with supervisory expectations;
“d) assess the effectiveness of the implementation of the RAF, including linkage to strategic and business planning, compensation, and decision-making processes;
“e) validate the design and effectiveness of risk measurement techniques and MIS used to monitor the firm’s risk profile in relation to its risk appetite;
“f) report any deficiencies in the RAF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner; and
“g) evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF. “
This is useful for anybody who wants to audit risk management, even if for a non-financial institution.
I translate all of the above to answering these questions:
- Do those responsible for taking risks, whether in the executive suite or in the trenches of the organization, have the guidance they need to ensure that risks they are creating and/or managing are maintained at levels acceptable to the board? This should include both the mitigation of excessive adverse risk and addressing situations where insufficient risk is taken (e.g., where a manager is overly cautious to the detriment of the organization).
- Is that guidance updated and communicated as business conditions (internal and external) change?
- When management proposes and the board approves strategies, plans, objectives, and similar, is appropriate consideration given to risks to those strategies and objectives?
- Is necessary and appropriate risk information (including the results of risk monitoring) provided to the board, executives, and other managers so they can effectively direct and manage the organization?
- Are exceptions appropriate reported and addressed?
- Is performance management (especially reporting) adequately integrated with risk management, and are those responsible for driving performance against objectives also held responsible for addressing risks to those objectives?
That ‘guidance’ could be in the form of a risk appetite statement (or similar) as envisaged by the FSB and described in COSO’s ERM – Integrated Framework, or in the form of risk criteria as required by the global risk management standard, ISO 31000:2009.
What I especially like about the FSB list of questions (and reflected in mine) is that it recognizes that mere compliance with an RAF is an insufficient audit approach; it is critical to assess whether it is current, timely, communicated broadly, and meets the needs of the business.
I welcome your comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Wondering – how is IA assessing the RAF, and how do stakeholders and the audit committee know if IA is doing it appropriately or sufficiently? Is there specific guidance? How are regulators determining sufficiency? Are insurers taking these requirements into consideration when determining rates?
Dave Tate, Esq. (San Francisco)
http://tatetalk.com
Even though risk appetite may not be that useful for non-financial institutions….suspect it will head down the same path (regrettably) that to date formal risk management has headed down..ie form over substance. As consultants pushing for extra work start writing articles, doing presentations to Boards etc and eventually corporate governance authorities incorporate (or elaborate further) risk appetite in their Standards/Guidelines, making formal explicit documentation/ process a desirable feature of an overall risk management framework. It keeps people (like us!) employed I suppose, albeit I suggest that it may not add one bit of value to many non-financial related companies (ie many already have risk appetite clearly defined in their strategies, KPIs , limits of authority etc). I guess no different to what has happened in relation to risk management in general over the years, unfortunately.
I agree with Glenn Daly that it is creating a lot of work to Consultants, writers and academicians but to the non-financial related companies, risk appetite may not add one bit of value to them. Businesses cannot be defined so exactly like science and there are areas like entrepreneurship skill that brings success to the company. Perhaps it is better to let RAF be a good practice but not necessarily adopted by all businesses. We are now seeing a lot of standards being issued from accounting to auditing to risk management to ISO etc. Business people should focus on building the business instead of being required to comply with every standard that comes out which stifles creativity and entrepreneurship. One must weigh the cost of compliance to carry out business as eventually prices of goods and services have to increase because of the increase in cost of compliance.
With more prescriptive risk management practices, the cost of compliance is not just the concern. If we continue to have the Me2 approach with the banks, there is a far more serious issue emerging. More explicit risk management practices provides additional “air cover” for Directors in the event the company they are oversighting gets caught out. In other words, more explicit risk management practices potentially encourages companies to engage in activities that may be considered questionable knowing they can plead ignorant and point to COBC, risk management procedures or whatever etc which (in theory) evidences they were trying to do the right thing. More explicit Risk Management practices are on occasions potentially encouraging what risk management was trying to prevent. I am afraid the formal discipline of risk management is losing (or has lost) credibility to some extent, and before we go down the path of additonal explicit risk management practics such as risk appetite, this factor needs to be considered. Of course this will not go down well with the consultants, who after a company gets caught out or the company has some disaster, they make their money by adding to the problem by either prescribing or reinforcing even more prescriptive risk management practices. Food for thought I think albeit it is not something that many will like hearing or overtly agree with.
A company can have a nicely drawn up ERM Framework with Risk Appetite & Risk Tolerance statements but if no one understands or validates it, it is useless. Likewise, if it is just a document not linked to Co’s strategy or business plans, and it’s too quantitative or too qualitative.
Secondly, do Ias have the competencies to evaluate/ validate/ suggest improvements?
In my view there are risks and there are risks. Commercial and financial risks are susceptible to rational analysis and hence respond well to the application of the risk appetite concept. They are manageable risks and interact in observable and predictable ways with commercial objectives and the outcomes that shadow them.
Ethical and fraud risks on the other hand are not of this order of risk. To ask the question: how much appetite does this organisation have for wrongdoing makes little sense. It is not a question of appetite. In fact it should not be presented as a choice at all. What this risk represents is a threat to fair dealing and good conduct, without which, on the macro level, economic outcomes are perverted and social equity is impaired. And it is not within the gift of any company to put this utilitarian social compact at risk for the sake of self-economic interest. This is why it is completely wrong to speak as if there is a choice to be made. There isn’t. Managers have plenty of other choices and decisions to confront and take in their legitimate pursuit of profit – this is the arena in which risk appetite applies. Fair dealing and proper conduct provide the normative stability around this dynamic. Seen this way, managers can relax about whether this or that shenanigan is worth a punt – they may even feel emboldened by a clearer sense of mission. Rules of conduct are there to help simplify their decision making, not to thwart it.