While many companies viewed their risk appetite framework as a safeguard against the type of crisis we are currently in, a lot of these frameworks failed due to design and application problems. However, the concept of risk appetite is still very sound. Risk appetite is simply the formalization of basic business principles such as making risk-taking explicit, making decisions based on risk-reward tradeoffs, understanding potential outcomes of different decisions, and deciding whether the organization is comfortable with the risk associated with different decisions. This paper, published by PwC, discusses how to improve risk appetite frameworks, organizations can learn from three key failings highlighted by the crisis.
Complete Risk Identification Is Needed
Risk management and measurement frameworks often look at risk types in separate silos, but connections between the risk types need to be visible within the organization. Operational silos between risk types and across business lines need to be broken down. Steps to break down silos may include risk and business line managers thinking more holistically about issues that could impact their value and redesigning reporting structures to increase information flow throughout the organization. The scope of the appetite-setting exercise should be expanded to consider how reliant the organization wants to be on different funding sources. Also, there should be an acceptance that risks will not always be measured perfectly but that stress tests and scenario analysis can help gauge an organization’s ability to cope with surprises and new, emerging risks.
Risk Information and Management Action Must Be Linked
Risk appetite must shape the risk-taking behavior of an organization to be useful. Risk information should be gathered and reported regularly so performance relative to targets can be monitored. The risk appetite framework should include an early warning system alerting changes to the underlying risk profile and mechanisms to force the risk profile back within desired parameters. Management needs to understand the sensitivities and monitor the drivers so they have time to react to changes and can encourage more or less risk-taking when needed. Results of sensitivity analyses and scenario analyses need to be taken seriously and contingency plans for these potential situations should be discussed. Most importantly, linkages between risk appetite and risk-taking behavior need to be operationalized so that when risk limits are changed by the board or management, different risk-taking behavior occurs throughout the organization.
Boards Should Challenge Management
To effectively fill their oversight role, boards need to receive timely and relevant information and they need the relevant expertise to challenge management. Board and risk committee members should have a thorough understanding of the organization’s businesses and underlying risks in order to have sufficient knowledge to know when to ask questions of the information received. To effectively challenge management, the mechanisms for questioning need to be revised and upgraded so that scrutiny is more consistent. Another tool the board has for setting risk-taking is compensation because the compensation structure can encourage or discourage excessive risk-taking and help keep risk levels within the organization’s appetite.
Key Components of a Risk Appetite Framework
There are several components required to have a successful risk appetite framework:
- Risk appetite has to fit within the strategy of the organization.
- All material risks and risk dependencies need to be accounted for in the overall appetite.
- Risk limits should be set at the business unit level or lower and communicated clearly throughout the organization.
- Management needs to communicate and regulate how the organization is performing against its risk appetite.
- Performance measures and rewards must take risk into account.
- Control and oversight functions must be able to cause review or action when there are concerns.
Click below to read the full publication.