Presenter:
Gary
Morley
Presenter;
Gary
Morley
Governance & Risk Appetite
 The quality and frequency of risk information for
governing bodies varies significantly from firm to firm.
 Where risk information is provided, performance
indicators relevant to particular risks, assessments of the
availability and effectiveness of treatment and
comparison of risks against risk appetite are seldom
included.
 Many firms have not clearly defined their appetite for, or
tolerance of, risk.
•The banking crisis and the economic environment has further
highlighted the importance of firms having in place effective risk
management controls driven by firms senior management. Over the
last 12 months there have been various regulatory and European
reports & publications on this matter for example:
• Walker Report; A review of corporate governance in UK banks and
other financial industry entities, quote from report:
‘Firms should satisfy themselves on the integrity of its risk
management controls and that they are robust and defensible’
CEIOPS’’ Advice for Level 2 Implementing Measures on Solvency
II: System of Governance Synopsis
‘A clearly defined and well documented risk management strategy that
includes the risk management objectives, key risk management
principles, general risk appetite and assignment of risk management
responsibilities across all the activities of the undertaking and is
consistent with the undertaking’s overall business’
• ‘Effective Corporate Governance (Significant influence controlled
functions and Walker Review) Policy Statement (PS) September
2010’
A new framework of classification of controlled functions
NED holding a Chairman role will be reclassified:
• CF2a (Chairman)
• CF2b (Senior independent director)
• CF2c (Chairman of risk committee)
• CF2d (Chairman of audit committee)
• CF2e (Chairman of remuneration committee)
Chair of Risk/Audit/Remuneration Committees
• The FSA comment that they would not preclude executive directors
from
performing
the
role
of
chairperson
for
firms
risk/audit/remuneration committees, where that is deemed
appropriate in the circumstances of the firm, however they would
expect this to be in exceptional circumstances only and for these
functions typically to be filled by a NED.
Finance, Audit & Risk (CF28)
• The CF28 function will be spilt into three distinct functions finance,
risk and internal audit – CF 13, 14, and 15 respectively.
Internal Audit Function
• FSA adding further guidance to SUP 10 to make it clear that they
expect the person responsible for CF15 (Internal Audit) not to be
responsible for another governing function
• Additionally the FSA acknowledge the role of today’s internal audit
function and are amending SUP 10.8.3 R to include a requirement
that the internal audit function reports on the effectiveness of the
firm’s systems of internal control.
Outsourcing of CF 13 (Finance) & CF15 (Internal Audit)
A third-party service provider may be used to help a firm fulfil a
particular task or activity but cannot be in a position of significant
influence – that can only be a person at a firm. For example, if a firm’s
internal audit function has been outsourced, the person carrying out the
internal audit function (CF15) would normally be the person responsible
for that function to the governing body or in larger firms to the audit
committee.
The Walker Review - effective risk management
• Risk Committee
• Where no risk committee exists, there should, however, still be
someone accountable for risk at the firm and the governing body will
retain responsibility for risk oversight.
Risk Appetite
What is risk appetite?
• ‘’British Standards published BS 31100 in October 2008; offers the
following definition of risk appetite “the amount and type of risk that
an organisation is prepared to seek, accept or tolerate”.
• ‘’Some organisation prefer the distinction between risk tolerance
(maximum risk that can be taken before financial distress) and risk
appetite (amount of risk that is actually taken for reward)’’
Why is risk appetite important?
• An important mechanism for using and embedding Operational Risk
frameworks
• Principle 3 Management & Control; A firm must take reasonable
care to organise and control its affairs responsibly and effectively,
with adequate risk management systems
• SYSC 4.1.1R – A firm must have … effective processes to identify,
manage, monitor and report the risks it is or might be exposed to ….
• Operational Risk Management (INSPRU 5)
The Walker Review:
• Para 6.9 – … the Board has responsibility for the determination of
risk tolerance and appetite throughout the cycle……
• Recommendation 27:…the risk report should describe ….the
associated risk appetite and tolerance and how the actual risk
appetite is assessed over time …..
Setting a risk appetite
1). Setting a boundary on a probability and impact grid
2). Economic capital measures / balance sheet based expressions
3). Changes in credit ratings (headroom before a potential downgrade)
4). Profit and loss measures (e.g. tolerable level of annual loss)
5). Value based measures (based on probability of ruin or default)
6). Limits / targets or thresholds for key indicators (e.g. +/- 5% variation in profit or 1 - 2½
% variation in revenue)
7). Qualitative statements (e.g. zero tolerance for regulatory breaches or loss of life)
Elements of ‘good’ practice in the area of risk appetite are:
• Start with a ‘top down’ approach as this aligns better to strategy
setting processes in an organisation
• Balance the requirements of various stakeholders (not just
shareholders)
• Understand an organisation’s strategic objectives and associated
risks
• Align risk appetite with existing management processes (especially
personal performance management process)
• Differentiate between short-term and longer term risk appetite
• Broad communication of risk appetite in an organisation (beyond
senior management)
• Monitor risk appetite changes over time (retrospectively and
prospectively)
How are risk appetites expressed?
• How an organisation expresses its appetite for risk is a key
component of the challenge
• Some expressions are highly theoretical and quantitative and while
they may appear to be robust, they cannot always be understood
and therefore used effectively by an organisation’s decision makers.
• In contrast more subjective expressions of risk appetite can be both
vague and imprecise (such as statements like ‘we have no appetite
for making a loss’) and may actually promote inappropriate risk
taking behaviour on the part of an organisation’s decision makers.
Benefits of ‘risk appetite?
• Improved Board risk oversight and risk governance
• Communicate expectations for risk-taking to managers
• Communicate risk to the Board of Directors
• Achieve greater management consensus around risk
• Set limits for risk / reward trade-offs
• Increase accountability for management decision-making
Effective Communication of an Organisations Risk Appetitive
• There is little point going to the expense of determining an
organisation’s appetite for risk if this is not subsequently cascaded
to all of its decision makers, so that they can understand the ‘rules’
within which they should be operating.
Embedding Risk Appetite into Managerial Decision-making
•
Staff training initiatives – which could be used to promote risk awareness
and reinforce an organisation’s qualitative risk appetite statements
•
Incentive schemes, whereby management might be rewarded for achieving
specific economic targets whilst keeping risk indicators within agreed limits
•
Performance management and objective setting initiatives where staff are
given objectives that are directly aligned to current risk appetite priorities
The Link between Risk Appetite and Risk Monitoring
“Both the risk appetite and risk profile should be continuously monitored
by the Board (or equivalent) and formally reviewed at least annually
alongside the organisation’s strategy and planning processes. This
should consider whether the organisation’s risk appetite aligns with the
organisation’s risk profile and that the risk appetite remains appropriate
to deliver the organisation’s objectives in light of internal and external
drivers and constraints.”