WHITE PAPER FOUR PRACTICAL WAYS TO CAPTURE AND MONITOR RISK APPETITE

Similar documents
ENTERPRISE RISK AND STRATEGIC DECISION MAKING: COMPLEX INTER-RELATIONSHIPS

Risk Management Policy

Practical aspects of determining and applying a risk appetite for SMEs

CASE STUDY DEPOSIT GUARANTEE FUNDS

ERM CB Seminar Hotel Sea Princes, Mumbai 10th Aug Application and Challenges

AFERM Best Practices: Guideposts, Risk Registers and a Maturity Model

Nagement. Revenue Scotland. Risk Management Framework. Revised [ ]February Table of Contents Nagement... 0

Risk Management at the Deutsche Bundesbank March 2011

Risk & Analytics. Trends within Insurance Companies Risk Management. Marc Paasch June Willis Towers Watson. All rights reserved.

Scouting Ireland Risk Management Framework

Cyber Risk Enlightenment through information risk management

University of Greenwich Risk Management Guide Revised October 2017

Business Auditing - Enterprise Risk Management. October, 2018

Nagement. Revenue Scotland. Risk Management Framework

Machine Learning in Risk Forecasting and its Application in Low Volatility Strategies

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

White Paper. Not Just Knowledge, Know How! Artificial Intelligence for Finance!

Risk Management Framework

Procedures for Management of Risk

APPENDIX 1. Transport for the North. Risk Management Strategy

GOV : Enterprise Risk Management Policy

NOTTINGHAM CITY HOMES. THE BOARD REPORT OF Ian Rabett Head of Health & Safety 26 November 2015

The Proactive Quality Guide to. Embracing Risk

Using data mining to detect insurance fraud

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

RED 2.1 & 4.2: Quantifying Risk Exposure for ORSA. Moderator: Presenters: Lesley R. Bosniack, CERA, FCAS, MAAA

13.1 Quantitative vs. Qualitative Analysis

Insurance regulation and operational risk

The Effective Guide for SELECTING ESSENTIAL PROPERTY MANAGEMENT KPIS

TRΛNSPΛRΣNCY ΛNΛLYTICS

Modelling the meaningful A stochastic approach to business risk and risk management A case study approach

Business Continuity Management and ERM

RE: Transaction Costs Disclosure: Improving Transparency in Workplace Pensions: Call for Evidence

LONDON BOROUGH OF ENFIELD RISK MANAGEMENT STRATEGY

FIRMA Nashville Tennessee April 21, 2015

Kidsafe NSW Risk Management Plan. August 2014

The CreditRiskMonitor FRISK Score

Quality Control & Compliance Initiative. This document is publicly available to any staff member on the following network path:

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

Preparing for the New ERM and Solvency Regulatory Requirements

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

ECONOMIC CAPITAL MODELING CARe Seminar JUNE 2016

ORSA An International Development

Capturing Risk Appetite Through ERM - Implementation Challenges

Trust Assurance Framework Reviews. (Structure, Engagement and Alignment 2017/18)

Risk Management. Policy and Procedures

An introduction to Operational Risk

XSG. Economic Scenario Generator. Risk-neutral and real-world Monte Carlo modelling solutions for insurers

Risk management culture focused on integrity and good conduct

FINDING THE GOOD IN BAD DEBT BEST PRACTICES FOR TELECOM AND CABLE OPERATORS LAURENT BENSOUSSAN STEPHAN PICARD

The OCEG Open Risk Classification using XBRL

Failure to prevent the facilitation of tax evasion:

A G E N D A Revised WORKSHOP BUDGET MEETING OF THE PARK RIDGE CITY COUNCIL CITY HALL COUNCIL CHAMBERS 505 BUTLER PLACE PARK RIDGE, IL

Failure to prevent the facilitation of tax evasion: Our solution to help you avoid committing the new offence

Quantitative Trading System For The E-mini S&P

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

Understanding cyber risk management vs uncertainty with confidence in 2017

EFFECTIVE TECHNIQUES IN RISK MANAGEMENT. Joseph W. Mayo, PMP, RMP, CRISC September 27, 2011

PPI PPI Briefing Note Number 108

ก ก Tools and Techniques for Enterprise Risk Management (ERM)

Complying with CECL. We assess five ways to implement the new regulations. September 2017

Project Risk Management. Prof. Dr. Daning Hu Department of Informatics University of Zurich

Solving the MiFID II Research Unbundling Challenge

A new tool for selecting your next project

HSC Business Services Organisation Board

UNIVERSITY OF ABERDEEN RISK MANAGEMENT FRAMEWORK

General questions 1. Are there areas not addressed in the Guidance that should be considered in assessing risk culture?

CreditEdge TM At a Glance

Article from The Modeling Platform. November 2017 Issue 6

AI Strategies in Insurance

Internal Model Industry Forum (IMIF) Workstream G: Dependencies and Diversification. 2 February Jonathan Bilbul Russell Ward

Step 2: Decide Who Might be Harmed and How. Step 3: Evaluate the Risks and Decide on Precautions. Step 4: Record Your Findings and Implement Them

Sections of the ORSA Report

RESERVE BANK OF MALAWI

Introduction. I hope you find it helpful. Do get in touch if you have any other questions, or want to give Vestd a try. Thanks,

Three Components of a Premium

Operational Risk in Life Insurers. Life Operational Risk Working Party

What brings IFRS November 2017

ALLFINANZ Digital New Business & Underwriting

JFSC Risk Overview: Our approach to risk-based supervision

Step by step guide to auto enrolment

Deciding on Default Design

Analytic measures of credit capacity can help bankcard lenders build strategies that go beyond compliance to deliver business advantage

A guide to the incremental borrowing rate Assessing the impact of IFRS 16 Leases. Audit & Assurance

Risk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY

A.M. Best ERM SRQ Response Survey. March 2012

Applied Risk Assessment into EPC Projects By Pulung Susilo Rahardjo

ERM/ORSA Training Thai General Insurance Association (TGIA)

Risk Management Policy and Procedures.

Fiduciary Insights. COMPREHENSIVE ASSET LIABILITY MANAGEMENT: A CALM Aproach to Investing Healthcare System Assets

Survival guide to challenging costs in major projects

Construction projects: manage risk to achieve success

Integrated Risk Management Framework Sept Page 1 of 17

Certified Enterprise Risk Professional (CERP) Test Content Outline

Law Department Budgeting and Forecasting. How to Plan, Implement and Benefit From a Formal Budgeting Process

PRODUCT OVERVIEW. The ClearCompress Service: A New Level of Compression Optimisation

Enterprise Risk Management Focusing on the Right Risks

USF System Compliance & Ethics Program. Risk Assessment Process. Enterprise-Wide Risk Assessment

Transcription:

WHITE PAPER FOUR PRACTICAL WAYS TO CAPTURE AND MONITOR RISK APPETITE 90

CAPTURE AND MONITOR RISK APPETITE 2 FOUR PRACTICAL WAYS TO CAPTURE AND MONITOR RISK APPETITE Many organisations are grappling with how to capture and monitor risk appetite within their organisation. While many papers have been written on the topic, there is a lack of practical guidance on the different ways that can be used to capture and report on risk appetite. This whitepaper provides an overview of what risk appetite is. It then describes 4 different ways to capture and monitor risk appetite across an organisation and discusses their pros and cons. RISK APPETITE On the face of it, risk appetite is a straightforward concept. It is the amount of risk an organisation is prepared to take in meeting its goals or objectives. However, in practice defining what this actually means to a specific organisation can be quite challenging. Many organisations find it difficult to decide on an approach to risk appetite that is practical, accurate, and which can be readily rolled out and monitored across the business. Many organisations find it difficult to decide on an approach to risk appetite that is practical, accurate, and which can be readily rolled out and monitored across the business. The many whitepapers and standards on the subject don t help either, as they tend to focus on high level concepts rather than detailed guidance on the topic. In practice there are a number of different ways to capture and monitor risk appetite, each with their own benefits and disadvantages. Thus, the rest of this whitepaper describes some of the main ways we have seen risk appetite implemented across organisations and where we see their benefits and challenges.

-/+ - CAPTURE AND MONITOR RISK APPETITE 3 APPROACH 1. QUALITATIVE RISK APPETITE STATEMENT This is the simplest approach to capturing a risk appetite statement. An organisation will pick specific categories of risk, for instance Reputation or specific risks such as Bribery and Corruption Risk and capture in words what level of risk they are prepared to take. Note, the specific risk categories or risks will be aligned with the type of business that the organisation undertakes and its value drivers or principles. For example, a financial organisation may set their appetite levels to be much lower for fraud and bribery risks because of its impact on the reputation of the organisation. Figure 1 Example of a simple risk appetite statement OTHER EXAMPLES We have zero risk tolerance for fraudulent activities The business has low tolerance of IT system failure We will take all steps possible to minimize the likelihood of adverse reputational impact BENEFITS Simplicity Ease of communication DISADVANTAGES Words are notoriously open to misinterpretation Difficult to measure and monitor However, the above can be addressed by providing more detailed, measurable statements to back them up (more on this later)

CAPTURE AND MONITOR RISK APPETITE 4 APPROACH 2. QUALITATIVE RISK APPETITE RATING Figure 2 Example of a simple risk appetite rating Figure 3 Example of a simple risk appetite rating This is the next simplest approach to capturing a risk appetite statement. An organisation will pick specific categories of risk and rate the level of risk they are prepared to take. Typical levels of risk appetite rating are Low, Medium and High, reflecting the appetite for that risk. BENEFITS Simple and easy to communicate Easy to create reports comparing current risk ratings against the risk appetite rating, for example: DISADVANTAGES Lack of precision Hard to define what Low, Medium and High means Could define a risk appetite matrix, however, this can become complicated if the definition needs to cover multiple risk categories An organisation will pick specific categories of risk and rate the level of risk they are prepared to take.

CAPTURE AND MONITOR RISK APPETITE 5 APPROACH 3. QUANTITATIVE RISK THRESHOLDS In order to address the limitations of qualitative risk appetite statements, many organisations, particularly financial ones, utilise quantitative approaches to capture and monitor their risk appetite position. One common approach is to set thresholds against specific risks. A specific risk rating score will be set as the appetite threshold. A tolerance threshold might also be used to indicate when a particular risk is deemed a significant threat to the organisation from an appetite perspective. As an example, below there is a quantitative risk appetite statement for the risk Key Staff not retained. Here we see that the appetite for this risk has been set to a residual risk rating of 6, while its tolerance level is set at 12. Its current rating is therefore amber, as the residual risk score (shown bottom right) is currently 8. Figure 4 Example of a threshold based risk appetite rating

CAPTURE AND MONITOR RISK APPETITE 6 Once defined, risk appetite thresholds can be used to generate a number of useful summary reports, for instance as a Spider Chart (figure 5 - next page). This provides a clear view of the organisation s risk appetite levels and also where residual risk scores fit within those thresholds. BENEFITS Another approach to capturing risk appetite thresholds is to use a target risk rating. Improved accuracy and consistency compared with a written statement Easy to compare current risk position against risk appetite Easier to monitor and track DISADVANTAGES Requires a good understanding of the risk scoring approach in order to set appropriate thresholds Not as intuitive to understand or communicate Figure 5 Example of a risk appetite spider chart

CAPTURE AND MONITOR RISK APPETITE 7 APPROACH 3B. QUANTITATIVE - TARGET RISK RATING Rather than using custom appetite and threshold fields, another approach to capturing risk appetite thresholds is to use a target risk rating. The target rating represents the level of risk that the organisation is prepared to accept. In the following example, the appetite for this risk is very low, as its target rating is 1 (green). The risk is also outside of appetite, as the residual score is 6, i.e. there is a difference of 5: Figure 6 Using target ratings to capture risk appetite By calculating the difference, a graph categorising risks by the extent to which they are outside of appetite can be easily created: Figure 7 Risks categorised as outside appetite

CAPTURE AND MONITOR RISK APPETITE 8 APPROACH 4. QUANTITATIVE KEY RISK INDICATORS Another common quantitative approach to risk appetite is to utilise Key Risk Indicators (KRIs) to capture different appetite statements. KRIs are measurable metrics that indicate the potential for a risk to occur. Their aim is to provide prior notification of a shift in risk conditions or to identify new emerging risks. 90 KRIs are measured by one or more quantifiable values or metrics. Numerical or percentage thresholds are set that equate to a red, amber or green rating. In the case of the KRI customer complaints (shown below) we might be interested in the metrics % change in complaints or the number of complaints. In this case, a 5% or more increase will result in a red rating, between 35% and 5% will result in amber, and less than 3% will be rated as green. Figure 8 Example of a Key Risk Indicator KRI Name Customer Complaints ERM System Benefits Description Frequency Business Unit To measure the change in complaints: a significant change may indicate an impact on our strategic risks Monthly Support Name Type Upper/Lower Threshold Amber Threshold % in change in complaints Percentage Upper 5% 3%

CAPTURE AND MONITOR RISK APPETITE 9 Just as KRIs can be used to predict risk occurrence, they can also be used to set appetite levels for the organisation. They enable risk appetite statements to be made across a broad range of data for example, relating to capital exposure or loss event history. KRI results are typically collected on a regular basis, e.g. daily, weekly or monthly, thus enabling a historical trend of their movement to be built up over time (as shown below in figure 10). Here is a KRI that could be used to capture risk appetite relating to Fraud Losses: Figure 9 Example of a KRI used to measure fraud appetite KRI Name Internal Fruad Losses ERM System Benefits Description Frequency Business Unit Metric 1 To measure the fraud losses in previous 6 months Monthly Support Name Type Upper/Lower Threshold Amber Threshold Total fraud lossses in previous 6 months Currency Upper 250k 100k Figure 10 Example of a historical recording of KRI

CAPTURE AND MONITOR RISK APPETITE 10 Finally, KRIs facilitate aggregation of risk appetite around specific risk categories, e.g. strategic risks vs. financial risks, and so on. This can result in a simple traffic light view of risk appetite based on risk category (see example below). Figure 11 Example of a risk appetite aggregation BENEFITS Can capture risk appetite statements across a wide variety of datasets Easy to report on and trend Easier to monitor and track over long periods of time Enable aggregation DISADVANTAGES Requires a good understanding of where to set thresholds Not as intuitive to understand and communicate MAPPING KRIs TO RISK APPETITE The key to identifying KRIs for risk appetite is to identify those KRIs that indicate a serious potential impact to an organisation s value drivers or core principles. For example, a financial institution may wish to focus on KRIs relating to capital or regulatory requirements; an insurance company may be sensitive to misselling and reputational risk, an IT provider may be focused on security of data or perceived trust, an oil and gas company may not tolerate health and safety issues and so on. Identify what really matters to the organisation or business unit and set thresholds for KRIs that quickly identify areas of unacceptable risk. Identify what really matters to the organisation or business unit and set thresholds for KRIs that quickly identify areas of unacceptable risk. OTHER EXAMPLES The size of any single operational loss over a specific period The number of system failures Loss of key resources over a specific period The number and severity of negative reputational events

CAPTURE AND MONITOR RISK APPETITE 11 SUMMARY This whitepaper has provided an overview of 4 common ways in which risk appetite can be captured and monitored. In general terms, they can be divided into simple, qualitative statements vs. more complex, but measurable quantitative approaches. The Xactium system has been built to accommodate each of these approaches, giving organisations the flexibility to decide on the most appropriate route, taking into consideration their advantages and disadvantages. For more information about the benefits of implementing Xactium across your organisation visit: www.xactium.com/risk-managementsoftware You may also be interested in reading our whitepaper on effectively leveraging KRIs: http://bit.ly/2svqh79

ABOUT XACTIUM Xactium is a cloud based GRC software provider that helps Risk Managers to transform the way that Financial services organisations evaluate and manage their enterprise risk. The value of the risk process and its profile is raised through the use of risk intelligence that improves efficiency and creates insights that influence decisions across the business. As the central risk platform used by the FCA to supervise the market, it has also been adopted by a wide range of financial services organisations from across the industry. Companies such as Direct Line Group, JLT, MS Amlin and Argo Group. Xactium is the world s first enterprise risk-intelligent system, with the revolutionary use of embedded AI (Artificial Intelligence), 3D visualisation and automation that dramatically improves efficiency and creates innovative analytics. Reporting is made easy and timely, and predictive insights enable senior managers to prioritise resources. Xactium is also built for managing change and is probably the most flexible and configurable enterprise risk management system available today. This adaptability ensures that our customers stay up to date and able to respond to both business and regulatory change, without the need for costly bespoke programming. Overall, Xactium releases more time and resource for the risk team to help promote best practice and demonstrate the value of risk across the business through actionable insight. Visit us online at www.xactium.com Tel: +44 (0) 114 2505 315 Email: info@xactium.com Head Office Xactium House 28 Kenwood Park Road Sheffield S7 1NF London Office Xactium Ltd 1st Floor 6 Bevis Marks London EC3A 7BA

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback