In recent years, many companies have scrambled to meet the stringent post-recession regulatory requirements by instituting new ERM plans or augmenting existing programs. However, regulatory compliance is not enough. In order for ERM to create value, companies must seamlessly integrate risk practices into the organization's day-to-day business processes at every level. A key lever for this is to implement a comprehensive risk policy that establishes metrics, exposure limits, and governance processes to ensure enterprise-wide risks are within acceptable levels.
At the heart of such a policy is the risk appetite statement (RAS). An RAS is a concise document that provides a framework for the board of directors and management to address fundamental questions with respect to strategy, risk management, and operations, including:
Corporate directors may well recognize the need for a formal statement of risk appetite, but according to a 2013 National Association of Corporate Directors (NACD) study, only 26% of companies actually have one.1 In this chapter I'll offer a set of guidelines, best practices, and practical examples for developing and implementing an effective RAS framework. Specifically, we'll look at the requirements of a risk appetite framework; the process of developing, implementing, and refining an RAS; and the monitoring and reporting processes that will ensure ongoing observance. We'll conclude with a practical example of an RAS that includes illustrative metrics and tolerance levels for key risks.
A well-developed risk policy in general and an RAS in particular must have the following attributes:
Figure 12.1 provides an overview with these key attributes and the linkages between ERM, risk appetite, risk culture, and reputation.
A risk appetite statement is a board-approved policy that defines the types and aggregate levels of risk that an organization is willing to accept in pursuit of business objectives. It includes qualitative statements and guidelines as well as quantitative metrics and exposure limits. The RAS is implemented through a risk appetite framework, which includes the common language, policies, processes, systems, and tools used to establish, communicate, and monitor risk appetite. The risk appetite framework should incorporate the following elements:
Risk tolerance is often used as a synonym for risk appetite, but in practice it is quite different and plays an important role in the risk appetite statement. Risk tolerances are the quantitative thresholds that allocate the organization's risk appetite to specific risk types, business units, product and customer segments, and other levels. Certain risk tolerances are policy limits that should not be exceeded except under extraordinary circumstances (hard limits) while other risk tolerances are guideposts or trigger points for risk reviews and mitigation (soft limits). Whereas risk appetite is a strategic determination based on long-term objectives, risk tolerance can be seen as a tactical readiness to bear a specific risk within established parameters. Enterprise-wide strategic risk appetite is thus translated into specific tactical risk tolerances that constrain risk-acceptance activities at the business level. Risk tolerances are the parameters within which a company (or business unit or function) must operate in order to achieve its risk appetite. Once established, these parameters are communicated downward through the organization to give clear guidelines to executives and managers and also to provide feedback when they are exceeded. For this reason, risk tolerance should always be defined using metrics that are closely aligned with how business performance is measured (i.e., key risk indicators should be closely related to key performance indicators).
Establishing risk tolerance levels is one of the major challenges in developing an RAS framework, but it is essential to its success. There are many ways to determine risk tolerances. It is up to each organization to decide which ones work best. Table 12.1 offers some approaches that an organization may take to determine risk tolerance levels. Please note that these approaches are not mutually exclusive. Sometimes, a blended approach is best. For example, one may initially set a risk tolerance level using statistical analysis (95% confidence level observation) and then adjust it up or down according to management judgment.
Table 12.1 Approaches to Establishing Risk Tolerance Levels
1. | Board and management judgment |
2. | Percentage of earnings or equity capital |
3. | Regulatory requirements or industry benchmarks |
4. | Impact on the achievement of business objectives |
5. | Stakeholder requirements or expectations |
6. | Statistics-based (e.g., 95% confidence level based on historical data) |
7. | Model-driven (e.g., economic capital, scenario analysis, stress-testing) |
While the main purpose of an RAS framework is to establish limitations on risk, it also provides other important benefits, including:
The development of the RAS is an important early component of ERM program deployment. It provides significant strategic, operational, and risk management benefits because it informs risk-based decision making for the board of directors; executive management; risk control and oversight functions (risk, compliance, and internal audit); and business and operating units. The implementation requirements for an RAS depend on the size and complexity of the organization; the business and regulatory environment in which it operates; and the maturity of its ERM program. The following provides some general guidelines for developing an RAS and for refining it on a continuous basis.
As part of a larger ERM effort, an RAS offers far greater value than merely meeting regulatory requirements. Nonetheless, aiding the process of meeting such requirements is a significant benefit. Whether or not it is actually required by specific laws, regulations, or industry standards, an RAS offers a systematic and holistic approach to controlling risk exposures and concentrations. Successful deployment of an RAS can address the requirements of several common regulatory schemes. Consider the following examples from the financial services industry:
While these regulations are focused on banks, insurance companies, and other financial institutions, organizations in other industry sectors can benefit from the standards and guidelines they provide. Moreover, all companies should understand the RAS framework expectations established by global stock exchanges, rating agencies, and other organizations such as the National Association of Corporate Directors (NACD), Committee of Sponsoring Organizations of the Treadway Commission (COSO), and the International Organization for Standardization (ISO).
Senior management must set the tone at the top and communicate the critical role that the RAS plays in the risk-management process. This communication should come from the CEO, CFO, CRO, and other senior business leaders and be directed at key internal stakeholders. Such communication may take place in town hall meetings, workshops, corporate memos, or e-mails. It should clearly articulate the support from the board and corporate leaders and provide the implementation steps, expected benefits, regulatory requirements, industry standards, and business applications of the RAS for key stakeholders. Additionally, internal stakeholders who are responsible for developing and implementing the RAS framework should receive appropriate training.
With the appropriate communication and training completed or well underway, the organization is ready to develop the RAS. The executive sponsor (e.g., the CRO or CFO) of the RAS should organize a series of workshops with risk owners (e.g., business and functional leaders) to develop the risk appetite metrics for their organizational units while the CEO and key executive team members develop those for the overall enterprise. The purpose of these workshops is to develop the RAS with input from all of the risk owners by addressing the following questions sequentially:
Figure 12.2 provides a diagram of the logical flow of these questions in the context of a risk/return bell curve. Unfortunately, many companies break down this logical flow by separating the strategy and ERM components. These companies generally define strategic objectives and KPIs as part of strategic planning (Steps 1 and 2 in Figure 12.2) and provide reporting to the executive committee and the full board. Separately, they perform risk assessments and develop KRIs as part of ERM (Steps 3 and 4) and provide reporting to the ERM committee and the risk or audit committee of the board. The integration of strategy and ERM (integrating Steps 1 through 4) provides much better analysis, insights, and decision-making, including the alignment of KPIs and KRIs for the RAS framework. In other words, don't dissect the bell curve and look at return and risk separately!
These workshops might take place over the course of a few months. By the end of this step, the executive sponsor should be satisfied with the quality of the initial risk-appetite metrics and risk tolerance levels. The key objective of these workshops is to develop an initial set of KPIs and KRIs with their performance targets and risk tolerances, respectively. Some of the proposed metrics might be aspirational, and the risk owners will need time to flesh them out with real-world data. A subset of available metrics will be the basis of a prototype RAS and dashboard report in the next step.
Based on the output from Step 3, the team can produce a prototype document for the RAS to generate discussion and kick off what will become an iterative process. This document should include the RAS framework, a dashboard report with risk appetite metrics, and the RAS itself with qualitative statements and quantitative risk tolerances. (For more, see “Examples of Risk Appetite Statements and Metrics,” below.)
The executive sponsor can use this prototype document to socialize the prototype RAS and obtain input from corporate and business executives as well as select members of the board of directors (e.g., chairs of the risk and audit committees). Based on management and board feedback, the team can then produce a final RAS framework and dashboard report.
At this stage, the RAS is ready for management consideration. The executive team should take the time to discuss and vet the RAS thoroughly. This discussion may lead to changes in the risk appetite statement, metrics, and/or risk tolerance levels. Once this is complete, the executive committee or ERM committee would issue final approval.
The RAS should next be reviewed by the full board of directors, who will similarly discuss and challenge it. A key objective in this step is to establish a concise set of risk-appetite metrics and risk tolerance levels that are appropriate for board-level oversight and reporting. Final approval may come from the risk committee, audit committee, or the full board. Nonetheless, the full board should review the RAS in the context of the overall corporate strategy.
After management and the board approve the RAS, management should communicate it to all employees. This is because everyone plays a role in risk management and should understand the organization's overall risk appetite and tolerances. This communication should define risk ownership as well as the roles and responsibilities for implementing the RAS framework. (See “Roles and Responsibilities” for details.)
Ideally, the RAS would be closely aligned with the development of business plans and risk policies. The business world is dynamic and fluid, and the RAS must be responsive to significant changes in the competitive environment, regulatory guidance, risk-adjusted return opportunities, and the organization's risk profile and risk capacity. As such, the RAS, business plans, and risk policies should be “living documents” that are regularly reviewed and updated given key changes in the organization's business environment.
In order for the board and executive management to provide effective governance and oversight of the RAS framework, including the key risk exposures and concentrations of the organization, the ERM team must establish risk dashboard reports and monitoring processes. (See “Monitoring and Reporting” below for an example of an RAS dashboard report.)
In addition to off-cycle reviews that ensure the company's risk appetite is responsive to significant changes in the business environment, the company should conduct a formal review of the RAS at least once a year. This formal annual review includes proposed changes to the RAS framework and risk tolerance levels, alignment with business plans and risk policies, and management and board approvals.
Moreover, the organization should look for opportunities to improve the RAS framework on a continuous basis. These enhancements may include economic capital models, stress-testing and scenario analysis, technology solutions and reporting tools, broader coverage of risk, exception management plans, and integration into strategic and business decisions.
The process of developing, implementing, and renewing a comprehensive RAS framework should involve key stakeholders from every level of the organization. Figure 12.3 provides a summary of the main roles and responsibilities for the business units, executive management, and the board. The RAS itself should document specific roles and responsibilities for carrying out the risk policy, including reporting and exception-management processes.
The “three lines of defense” model described in Chapter 8 offers a lens through which to view the risk governance structure and roles defined in the RAS:
As active participants in the workshop meetings discussed previously in Step 3, the business and functional leaders are also responsible for defining their strategies and aligning them with the appropriate risk appetite and tolerance levels. Once the RAS is established, they must report policy exceptions to the CRO and/or executive management. The business and functional units are ultimately accountable for how well their businesses and operations perform vis-à-vis the risk tolerances established in the RAS.
The CRO and the ERM team are responsible for developing analytical and reporting tools to measure and monitor aggregate risk exposures against risk tolerances. They also must provide business context, expert analyses, and root causes for any risk tolerance breaches. Executive management is ultimately accountable for how well it optimizes the risk/return profile of the organization and for the strength of its risk culture.
The board is ultimately responsible for ensuring that an effective ERM program is in place, including a robust RAS framework. To fulfill this critical fiduciary responsibility, the board must receive timely, concise, and effective risk reporting from management, usually in the form of an RAS dashboard. This dashboard should clearly highlight any risk metric that falls outside its associated tolerance (e.g., by showing it in a “red zone”) and include commentary that explains the root causes for the policy exception along with management's plans and timeframe for remediation. We'll give a fuller introduction to the RAS dashboard below, with a complete discussion to follow in Chapter 19.
The venue and timeframe for RAS monitoring will vary based on the business, function, and organizational level. For example, IT may monitor tactical risk metrics and warnings on a real-time basis in its data center “war room” where performance and risk indicators are displayed across multiple interactive screens. A business unit, and the ERM function, may monitor key business and risk metrics on a weekly basis, with more formal monthly or quarterly reviews. Executive management and the board would monitor the RAS based on their committee schedules.
An effective RAS dashboard reporting process should be structured to produce consistent reports at various levels of the organization. Bear in mind that the number and types of metrics would likely vary with the target audience. Figure 12.4 provides an illustrative example of an RAS dashboard reporting structure. The report is organized into five primary risk categories: strategic/business, financial, operational, compliance, and reputational. Each risk category has a set of risk metrics assigned with tolerances or ranges that act as limits or guidelines for acceptable risk exposures. In this example, these metrics are tracked over the previous four quarters.
Figure 12.5 shows an illustrative RAS dashboard report with specific metrics and tolerance levels for each major risk type. It is important to note that the RAS is meant to capture only the most critical risks. Otherwise, it would be far too unwieldy to be effective. By pinpointing the most useful risk metrics, the RAS aims to provide an overall, holistic view of the company's risk profile. For instance, it should identify key risk indicators (KRIs) that link to the main drivers of short- and long-term performance. These KRIs can alert management to the potential for unacceptable business outcomes and trigger corrective actions.
As an alternative or complement, the RAS metrics can be organized into separate reports by major risk type. This way, the risk executive responsible for that area can provide business context and expert commentary along with the RAS metrics. This reporting structure integrates qualitative and quantitative information, as well as allows for a greater number of RAS metrics.
An effective RAS should provide a “cascading” structure of risk exposures and limits at the board, executive-management, and business-unit levels. This structure allows users to drill down to underlying exposures to answer specific questions and issues (e.g., “What business activities make up our strategic risk exposure to China?”). Similarly, it aggregates business-level exposures upward to the enterprise level (e.g., “What is our total net credit exposure to Goldman Sachs across the entire enterprise?”). The level of detail visible for each metric depends on the needs of the specific audience (i.e., board, corporate management, or business unit). Figure 12.6 provides an illustration of cascading risk appetite statements at the three levels of the organization. As shown, the RAS would be at its most dynamic at the business level, where managers may choose to make changes based on risk/return opportunities while respecting board- and management-level risk tolerances.
Certain types of risk metrics will naturally aggregate across the organization while others are unique to specific business and operational units. Since the board and executive management RAS reports are focused on strategic and enterprise-wide risks, they should focus on aggregate risk metrics, such as:
Finally, the RAS should provide a “common language” for the ERM program. This would consist of a glossary of relevant business or technical terms and acronyms as well as a data dictionary that describes each risk metric, how it is calculated, where the underlying data is generated, and why it is included.
The following sections provide examples of risk appetite statements, performance and risk metrics, and risk tolerance levels for the following risk categories: enterprise-wide risk, strategic risk, financial risk, operational risk, legal/compliance risk, and reputational risk. For simplicity, each risk appetite statement is paired with one or two example metric(s) and risk tolerance level(s). In practice, there may be a number of risk metrics and risk tolerances for each risk appetite statement.
The objective of our ERM program is to minimize unexpected earnings volatility and maximize shareholder value. The following risk appetite statements, metrics, and risk tolerances are in support of this overarching objective:
We strive to diversify our business portfolio to mitigate exposures to macroeconomic changes. Our business units will only pursue investment opportunities and business transactions that are consistent with the overall corporate strategy and our defined core competencies. We will focus our marketing efforts and technology initiatives to enhance significantly customer experience.
We take financial risks in order to support our core business activities. We cannot predict the direction of financial markets and therefore do not speculate on markets to generate income. We manage our liquidity position in a conservative manner for both expected and stressed business conditions.
We establish and test internal control systems to prevent, detect, and mitigate operational risk exposures. Each business unit is required to identify and assess its operational risks and ensure that they are measured and managed effectively.
We will conduct our business within the confines of all laws and regulations. Every employee is held accountable for maintaining the highest ethical standards.
Our reputation is extremely valuable, and it is every employee's responsibility to safeguard and enhance it. The board, CEO, and senior management will ensure that the level of reputational risk the company assumes is managed effectively.
The risk appetite statement is a foundational component of an effective ERM program. It establishes a board-approved policy that aligns the organization's risk tolerances with strategic objectives, risk profile, and risk-management capabilities. For the board, executive management, and business and operational staff, the RAS addresses a central question: “How much risk are we willing to accept to pursue our business objectives?” A risk appetite framework defines what key types of risk a company faces and sets tolerance levels to serve as guides and limits for decision-making at every level. To develop an RAS, a company must begin by assessing regulatory requirements before developing and socializing a prototype, obtaining management and board approval, and finally communicating the policy throughout the organization. A well-developed RAS framework will have a cascading structure based on the three lines of defense (business unit, management, board) so that each organizational level understands its responsibility and so that risks can be properly aggregated across the company.
The only thing certain in business is uncertainty. The RAS is an essential tool for any organization that strives to pursue its business strategy while managing all of its significant risks. By establishing strategic priorities and risk boundaries for all employees, a robust RAS that is communicated effectively can also have a profound impact on an organization's risk culture.