The Financial Stability Board (FSB), an international body that monitors and makes recommendations about the global financial system, published "Principles for An Effective Risk Appetite Framework" in November 2013. Regulations were finalized around these principles by some regulators including the Comptroller of the Currency in 2014. Although the genesis is FI-related, there are a lot of things in this publication that are useful to any organization trying to establish a risk appetite. I've edited-out the financial institution specific references for general consumption, regardless of industry.
Risk appetite statement definition: The articulation in written form of the aggregate level and types of risk that an organization is willing to accept, or to avoid, in order to achieve its business objectives. It includes qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also address more difficult to quantify risks such as reputation and conduct risks as well as unethical practices.
An effective risk appetite statement should:
- Include key background information and assumptions that informed the organization's strategic and business plans at the time they were approved;
- Be linked to the institution's short- and long-term strategic, capital and financial plans, as well as compensation programs, if applicable;
- Establish the amount of risk the organization is prepared to accept in pursuit of its strategic objectives and business plan, taking into account the interests of its customers, the fiduciary duty to shareholders, as well as any regulatory requirements;
- Determine for each material risk, and overall, the maximum level of risk that the organization is willing to operate within, based on its overall risk appetite, risk capacity, and risk profile;
- Include quantitative measures that can be translated into risk limits applicable to business lines and legal entities as relevant, and at group level, which in turn can be aggregated and disaggregated to enable measurement of the risk profile against risk appetite and risk capacity;
- Include qualitative statements that articulate clearly the motivations for taking on or avoiding certain types of risk, including for reputational and other conduct risks across markets, and establish some form of boundaries or indicators (e.g. non-quantitative measures) to enable monitoring of these risks;
- Ensure that the strategy and risk limits of each business line and legal entity, as relevant, align with the institution-wide risk appetite statement as appropriate; and
- Be forward looking and, where applicable, subject to scenario and stress testing to ensure that the organization understands what events might push the organization outside its risk appetite and/or risk capacity.
A couple of key points
Risk appetite is not a reflection of an inherent or residual risk assessment but rather is a limit to which an assessment is to be compared to answer the question: Is the organization's inherent and residual risk within the organization's risk appetite? If not, the risk needs to be further treated. It is not generally permissible to accept risk above the appetite, without changing the appetite. Instead, you must mitigate, transfer, or hedge the risk in some manner to sufficiently bring the residual likelihood and impact down.
Secondly, since a risk assessment or a risk taking activity must be compared to the appetite, the measurement type / rating scale must be comparable. If your appetite is set in dollars, then the risk assessment or activity must be in dollars, and vice versa. The comparison can certainly be based on qualitative values but the qualitative rating scale needs to be comparable. That is to say a risk assessment with a "High" rating must mean "High" in the same sense the risk appetite means "High". For example, if you state that a "High" reputation risk appetite is a negative story appearing in the Wall Street Journal, then your risk assessment cannot derive a "High" rating for a negative story appearing in the local newspaper.
Deriving Risk Appetite Statements
It is very difficult for most organizations to come up with risk appetite statements. Often you must pose a long series of scenarios to management and the board until you get a sense as to their comfort level around risk. Just because an organization may take on risk in its day to day activities does not mean that the risk taking is equivalent to their risk appetite. Take for example a young man who has chosen to purchase his first car, a muscle car with a 500+ Horse Power engine. The young man has certainly chosen a higher risk automobile but likely has little considered his risk appetite for increased insurance rates, tickets for speeding and exhibition of speed/acceleration/performance, and the increased likelihood of harm to property, his person, and to others. If you were the parent of the young man, these would be the scenarios you would lay out, perhaps along with some facts and statistics, in order to get the young man to embrace a realistic risk appetite and throttle down the horsepower.
Author: Marshall Toburen
Category: RSA Fundamentals, Blog Post, Securing the Digital World
Keywords: Cyber Risk Appetite, Enterprise Risk Management, Governance, Operational Risk Management, Risk & Compliance (GRC)