WHITE PAPER FOUR PRACTICAL WAYS TO CAPTURE AND MONITOR RISK APPETITE

Transcription

1 WHITE PAPER FOUR PRACTICAL WAYS TO CAPTURE AND MONITOR RISK APPETITE 90

2 CAPTURE AND MONITOR RISK APPETITE 2 FOUR PRACTICAL WAYS TO CAPTURE AND MONITOR RISK APPETITE Many organisations are grappling with how to capture and monitor risk appetite within their organisation. While many papers have been written on the topic, there is a lack of practical guidance on the different ways that can be used to capture and report on risk appetite. This whitepaper provides an overview of what risk appetite is. It then describes 4 different ways to capture and monitor risk appetite across an organisation and discusses their pros and cons. RISK APPETITE On the face of it, risk appetite is a straightforward concept. It is the amount of risk an organisation is prepared to take in meeting its goals or objectives. However, in practice defining what this actually means to a specific organisation can be quite challenging. Many organisations find it difficult to decide on an approach to risk appetite that is practical, accurate, and which can be readily rolled out and monitored across the business. Many organisations find it difficult to decide on an approach to risk appetite that is practical, accurate, and which can be readily rolled out and monitored across the business. The many whitepapers and standards on the subject don t help either, as they tend to focus on high level concepts rather than detailed guidance on the topic. In practice there are a number of different ways to capture and monitor risk appetite, each with their own benefits and disadvantages. Thus, the rest of this whitepaper describes some of the main ways we have seen risk appetite implemented across organisations and where we see their benefits and challenges.

3 -/+ - CAPTURE AND MONITOR RISK APPETITE 3 APPROACH 1. QUALITATIVE RISK APPETITE STATEMENT This is the simplest approach to capturing a risk appetite statement. An organisation will pick specific categories of risk, for instance Reputation or specific risks such as Bribery and Corruption Risk and capture in words what level of risk they are prepared to take. Note, the specific risk categories or risks will be aligned with the type of business that the organisation undertakes and its value drivers or principles. For example, a financial organisation may set their appetite levels to be much lower for fraud and bribery risks because of its impact on the reputation of the organisation. Figure 1 Example of a simple risk appetite statement OTHER EXAMPLES We have zero risk tolerance for fraudulent activities The business has low tolerance of IT system failure We will take all steps possible to minimize the likelihood of adverse reputational impact BENEFITS Simplicity Ease of communication DISADVANTAGES Words are notoriously open to misinterpretation Difficult to measure and monitor However, the above can be addressed by providing more detailed, measurable statements to back them up (more on this later)

4 CAPTURE AND MONITOR RISK APPETITE 4 APPROACH 2. QUALITATIVE RISK APPETITE RATING Figure 2 Example of a simple risk appetite rating Figure 3 Example of a simple risk appetite rating This is the next simplest approach to capturing a risk appetite statement. An organisation will pick specific categories of risk and rate the level of risk they are prepared to take. Typical levels of risk appetite rating are Low, Medium and High, reflecting the appetite for that risk. BENEFITS Simple and easy to communicate Easy to create reports comparing current risk ratings against the risk appetite rating, for example: DISADVANTAGES Lack of precision Hard to define what Low, Medium and High means Could define a risk appetite matrix, however, this can become complicated if the definition needs to cover multiple risk categories An organisation will pick specific categories of risk and rate the level of risk they are prepared to take.

5 CAPTURE AND MONITOR RISK APPETITE 5 APPROACH 3. QUANTITATIVE RISK THRESHOLDS In order to address the limitations of qualitative risk appetite statements, many organisations, particularly financial ones, utilise quantitative approaches to capture and monitor their risk appetite position. One common approach is to set thresholds against specific risks. A specific risk rating score will be set as the appetite threshold. A tolerance threshold might also be used to indicate when a particular risk is deemed a significant threat to the organisation from an appetite perspective. As an example, below there is a quantitative risk appetite statement for the risk Key Staff not retained. Here we see that the appetite for this risk has been set to a residual risk rating of 6, while its tolerance level is set at 12. Its current rating is therefore amber, as the residual risk score (shown bottom right) is currently 8. Figure 4 Example of a threshold based risk appetite rating

6 CAPTURE AND MONITOR RISK APPETITE 6 Once defined, risk appetite thresholds can be used to generate a number of useful summary reports, for instance as a Spider Chart (figure 5 - next page). This provides a clear view of the organisation s risk appetite levels and also where residual risk scores fit within those thresholds. BENEFITS Another approach to capturing risk appetite thresholds is to use a target risk rating. Improved accuracy and consistency compared with a written statement Easy to compare current risk position against risk appetite Easier to monitor and track DISADVANTAGES Requires a good understanding of the risk scoring approach in order to set appropriate thresholds Not as intuitive to understand or communicate Figure 5 Example of a risk appetite spider chart

7 CAPTURE AND MONITOR RISK APPETITE 7 APPROACH 3B. QUANTITATIVE - TARGET RISK RATING Rather than using custom appetite and threshold fields, another approach to capturing risk appetite thresholds is to use a target risk rating. The target rating represents the level of risk that the organisation is prepared to accept. In the following example, the appetite for this risk is very low, as its target rating is 1 (green). The risk is also outside of appetite, as the residual score is 6, i.e. there is a difference of 5: Figure 6 Using target ratings to capture risk appetite By calculating the difference, a graph categorising risks by the extent to which they are outside of appetite can be easily created: Figure 7 Risks categorised as outside appetite

8 CAPTURE AND MONITOR RISK APPETITE 8 APPROACH 4. QUANTITATIVE KEY RISK INDICATORS Another common quantitative approach to risk appetite is to utilise Key Risk Indicators (KRIs) to capture different appetite statements. KRIs are measurable metrics that indicate the potential for a risk to occur. Their aim is to provide prior notification of a shift in risk conditions or to identify new emerging risks. 90 KRIs are measured by one or more quantifiable values or metrics. Numerical or percentage thresholds are set that equate to a red, amber or green rating. In the case of the KRI customer complaints (shown below) we might be interested in the metrics % change in complaints or the number of complaints. In this case, a 5% or more increase will result in a red rating, between 35% and 5% will result in amber, and less than 3% will be rated as green. Figure 8 Example of a Key Risk Indicator KRI Name Customer Complaints ERM System Benefits Description Frequency Business Unit To measure the change in complaints: a significant change may indicate an impact on our strategic risks Monthly Support Name Type Upper/Lower Threshold Amber Threshold % in change in complaints Percentage Upper 5% 3%

9 CAPTURE AND MONITOR RISK APPETITE 9 Just as KRIs can be used to predict risk occurrence, they can also be used to set appetite levels for the organisation. They enable risk appetite statements to be made across a broad range of data for example, relating to capital exposure or loss event history. KRI results are typically collected on a regular basis, e.g. daily, weekly or monthly, thus enabling a historical trend of their movement to be built up over time (as shown below in figure 10). Here is a KRI that could be used to capture risk appetite relating to Fraud Losses: Figure 9 Example of a KRI used to measure fraud appetite KRI Name Internal Fruad Losses ERM System Benefits Description Frequency Business Unit Metric 1 To measure the fraud losses in previous 6 months Monthly Support Name Type Upper/Lower Threshold Amber Threshold Total fraud lossses in previous 6 months Currency Upper 250k 100k Figure 10 Example of a historical recording of KRI

10 CAPTURE AND MONITOR RISK APPETITE 10 Finally, KRIs facilitate aggregation of risk appetite around specific risk categories, e.g. strategic risks vs. financial risks, and so on. This can result in a simple traffic light view of risk appetite based on risk category (see example below). Figure 11 Example of a risk appetite aggregation BENEFITS Can capture risk appetite statements across a wide variety of datasets Easy to report on and trend Easier to monitor and track over long periods of time Enable aggregation DISADVANTAGES Requires a good understanding of where to set thresholds Not as intuitive to understand and communicate MAPPING KRIs TO RISK APPETITE The key to identifying KRIs for risk appetite is to identify those KRIs that indicate a serious potential impact to an organisation s value drivers or core principles. For example, a financial institution may wish to focus on KRIs relating to capital or regulatory requirements; an insurance company may be sensitive to misselling and reputational risk, an IT provider may be focused on security of data or perceived trust, an oil and gas company may not tolerate health and safety issues and so on. Identify what really matters to the organisation or business unit and set thresholds for KRIs that quickly identify areas of unacceptable risk. Identify what really matters to the organisation or business unit and set thresholds for KRIs that quickly identify areas of unacceptable risk. OTHER EXAMPLES The size of any single operational loss over a specific period The number of system failures Loss of key resources over a specific period The number and severity of negative reputational events

11 CAPTURE AND MONITOR RISK APPETITE 11 SUMMARY This whitepaper has provided an overview of 4 common ways in which risk appetite can be captured and monitored. In general terms, they can be divided into simple, qualitative statements vs. more complex, but measurable quantitative approaches. The Xactium system has been built to accommodate each of these approaches, giving organisations the flexibility to decide on the most appropriate route, taking into consideration their advantages and disadvantages. For more information about the benefits of implementing Xactium across your organisation visit: You may also be interested in reading our whitepaper on effectively leveraging KRIs:

12 ABOUT XACTIUM Xactium is a cloud based GRC software provider that helps Risk Managers to transform the way that Financial services organisations evaluate and manage their enterprise risk. The value of the risk process and its profile is raised through the use of risk intelligence that improves efficiency and creates insights that influence decisions across the business. As the central risk platform used by the FCA to supervise the market, it has also been adopted by a wide range of financial services organisations from across the industry. Companies such as Direct Line Group, JLT, MS Amlin and Argo Group. Xactium is the world s first enterprise risk-intelligent system, with the revolutionary use of embedded AI (Artificial Intelligence), 3D visualisation and automation that dramatically improves efficiency and creates innovative analytics. Reporting is made easy and timely, and predictive insights enable senior managers to prioritise resources. Xactium is also built for managing change and is probably the most flexible and configurable enterprise risk management system available today. This adaptability ensures that our customers stay up to date and able to respond to both business and regulatory change, without the need for costly bespoke programming. Overall, Xactium releases more time and resource for the risk team to help promote best practice and demonstrate the value of risk across the business through actionable insight. Visit us online at Tel: +44 (0) info@xactium.com Head Office Xactium House 28 Kenwood Park Road Sheffield S7 1NF London Office Xactium Ltd 1st Floor 6 Bevis Marks London EC3A 7BA