Risk-based performance

Integrating Risk Appetite into Business Strategy

2012-01-19T16:23:23Z

Following on from Andrew Smart's previous article 'Defining Risk Appetite', we will now explore how Risk Appetite can be integrated into Business Strategy.

The 2008/2009 credit crunch and subsequent catastrophic economic fallout in the US and Eurozone has demonstrated the impact that failure to integrate risk management at the heart of strategy execution can have on shareholder value. As organisations wake to the reality of their post-credit crunch operating environment, many will have to re-think how they formulate, set and execute strategy. At the heart of this is risk appetite.

Compared to existing risk standards such as COSO and BS31100, Manigent, a Strategy Execution and Risk Management consultancy, uses a slightly broader definition of risk appetite: the amount and type of risk that an organisation is willing to accept, and must take, to achieve their strategic objectives and therefore create value for shareholders and other stakeholders. Core to this definition is the phase ‘must take’ – it implicitly recognises that to execute strategy and create value, organisations must take risk. It explicitly recognises that risk is not just about managing potential threats but also about exploiting opportunities.

Defining Risk Appetite

Risk appetite is a board level tool which should be used by the board to set boundaries within which the executive team and the organisation must execute strategy and take risk.

Within the UK, the role of the board in respect to risk appetite has become enshrined on the statute books with the revisions to the UK Corporate Governance Code, May 2010 which sets out the following: The board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives, i.e the board is responsible for determining risk appetite.

As a board level tool, the definition of risk appetite must be closely coupled with the definition of strategy; it should, therefore, start at the strategy formulation stage, be refined in the strategy setting stage and guide strategic execution and alignment throughout the strategy execution stage. This is achieved by using key business drivers as the ‘lens’ by which the organisation views and thinks about risk.

Business drivers are those vital few factors that disproportionally influence the success or otherwise of a business or industry. For example, ‘economic capital’ might be a key business driver of the investment banking industry along with ‘reputation’. While there may be other business drivers identified, the board may decide to use only these two business drivers as the ‘lens’ through which they will view risk, as such they become the foundation of the risk appetite statement.

Once the board (typically in conjunction with the executive) has agreed the key business drivers they will use in the definition of risk appetite, they should develop a shared understanding of levels of risk, as documented in the table below. This establishes a common language and standard frame of reference that the board (and executive) can use to discuss risk at the corporate level of the business (and in future these levels can be cascaded through the business).

In addition to enabling organisations to monitor the alignment of risk-taking to strategy, defining risk appetite using key business drivers also enables the cascade of risk appetite levels through the organisation, meaning that the board can use risk appetite to ‘set the tone from the top’, providing the organisation with the boundaries within which to operate and the subsidiary business units, divisions etc. can use align their individual risk appetite statement to the corporate statement.

With a common language and standard frame of reference, the board is in a position to consider and decide what level of risk they are willing to take to achieve the strategic objectives they have defined. Often this process is an iterative one, which will see both the organisational strategic ambition and risk appetite adjusted to create alignment. This iterative process is critical to enable the board to really develop a deep and realistic view of what the organisation can sustainably achieve (the strategy) and the level of risk taking required to deliver that strategy (risk appetite).

Once the organisation has determined its strategy and associated level of risk appetite it should conduct a risk assessment to understand the current level of risk-taking within the organisation. The results of the risk assessment exercise should be translated into the same ‘buckets’ of risk used within the risk appetite statement. This enables an organisation to consider the alignment of risk-taking (based on the results from the risk assessment exercise) to strategy (as expressed in via risk appetite).

A powerful tool for monitoring the alignment between risk taking and the strategy is the Appetite Alignment Matrix. This matrix was designed by Manigent to provide a simple, visual way of understanding alignment between the current level of risk taking based on enterprise-wide risk assessments and the strategy as expressed by taking an aggregated view of the risk appetite levels assigned to each strategic objective.

The appetite alignment matrix is articulated around three zones. The main diagonal is the optimal zone, where the firm can determine risk appetite and the risk exposure induced by the business strategy are aligned. Above, three risks are in the optimal zone. For one, the company has both a medium appetite and a medium exposure. It may be, for instance, the risk of currency exchange for a business operating both in the UK and in the Eurozone that partially hedges its currency exposure. Risk and exposure are aligned for a second risk in which the company has both a high appetite and a high risk exposure, and thirdly, where the company has both an extreme appetite and an extreme exposure. An example of the latter could be the risk exposure to markets fluctuation for a broker – dealer. In other words, extreme risk exposure is acceptable as long as it is fully acknowledged and managed by the business.

The two other zones of the alignment matrix are suboptimal, either inefficient or dangerous. In the upper white zone of the matrix, risk appetite is larger than the actual risk exposure. In that case, the business is not taking the full risk he is allowed to take, either by being over controlled or under exposed. Examples of such situations could be a credit institutions not lending to its full capacity (underexposure) or a credit card company blocking too many transactions due to over cautious fraud system alerts (over control). In both cases, money is lost, not in operational risk event but in opportunity costs due to inefficiencies. Four risks are located in this zone in our example matrix.

The lower white zone of Appetite Alignment Matrix should be a concern for risk managers and business executives alike. This is the zone where risk exposure exceeds risk appetite: the business is taking more risk than it is willing or capable of taking. Six risks falls in this zone in the above matrix, two for which the exposure is extreme while the business risk appetite is only moderate. This is most likely to be caused by negligence of assessing risk in the organisation, either by ignorance or by lack of risk culture that leads executives to pay poor or no attention to the risks that they strategy initiate. Examples are diverse, from entering a new market to launching a new product.

Strategy, we know, is of upmost importance when running a business. We argue here that risk is about just as important. It is by properly aligning strategy and risk when reflecting on its risk appetite that a business can gain definitive competitive advantage.

Andrew Smart

To hear more from Manigent click here.

What is Risk Appetite?

2012-01-19T16:16:57Z

Risk Appetite Explained
In the face of the many recent failures of financial institutions, following market and asset crises and in the context of mounting regulatory demands from Basel 3, Solvency 2 and Dodd Frank, risk management is a topic high on the executive agenda. In particular, much emphasis has been placed on risk appetite and the role it has to play in an enterprise risk management approach, as part of an overall strategy execution process.

But what is Risk appetite?

First and foremost, risk appetite is a necessary dimension of an organisation’s policy that sets the boundaries within which their executive team and others within the business execute strategy and take risk. It is set at board level and it is not something that can or should be delegated, either to the executive team or risk team.

What the Standards Say
The Committee of Sponsoring Organisations of the Treadway Commission’s (COSO) Enterprise Risk Management – an Integrated Framework, 2004 defines risk appetite as the amount of risk, on a broad level an entity is willing to accept in pursuit of value. COSO makes two key points related to appetite. Firstly, it states that [risk appetite] reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. Secondly, COSO establishes the link between appetite and strategy, stating explicitly: risk appetite is directly related to an entity’s strategy.

The Risk Management Code of Practice from the British Standards institution, BS31100:2008 defines risk appetite as the amount and type of risk that an organisation is prepared to seek, accept or tolerate. This standard also relates appetite to strategy and governance stating: considering and setting a risk appetite enables an organisation to increase its rewards by optimising risk taking and accepting calculated risks within an appropriate level of authority.

What Manigent Says
Manigent, a Strategy Execution and Risk Management Consultancy Firm, provides a slightly broader definition of risk appetite as: the amount and type of risk that an organisation is willing to accept, and must take, to achieve their strategic objectives and therefore create value for shareholders and other stakeholders. By adding ‘and must take’, Manigent’s definition expresses that taking risk is an inherent part of strategy execution and value creation. Risk is not just about avoiding potential losses, but also about exploiting opportunities.

Why is Risk Appetite Important?
Many times, history has demonstrated that companies having a ‘performance-only’ approach to strategy execution, were they are prone to losses and failures once adverse circumstances emerge. The cascade of bank failures trapped into excessive credit derivatives exposures in 2008, the hard landing of the US economic after a widely identified, yet widely disregarded, asset bubble, the gigantic losses of the insurance sector in the aftermath of the technological bubble burst, the current struggle of continental banks stuck with excessive exposure to European sovereign debt, billions of rogue trading losses at Société Générale and UBS, the failure of MF Global after a strategy push for proprietary trading. Examples pleading for a risk based approach to strategy execution are countless.

This implies, at Board level, a decision on the amount of risk the organisation is capable and is willing to take, that translate into a Risk Appetite Statement.

The Necessary Features
Risk appetite statement needs to be defined at the top, in line with the strategy and the value drivers of the business, transparent, unambiguous, and cascaded down through all decision levels of the organisation.

Rather than “are we on track to hit our targets?, board members and executives must ask a different question: “is the organisation operating within appetite?”. This question puts the alignment of risk-taking to strategy at the heart of the strategic conversation and incorporates both the performance and risk dimensions of strategy execution.

As a board level tool, Manigent believe that the definition of risk appetite must be closely coupled with the definition of strategy. Therefore, one of the first steps in the risk appetite definition process is to define a clear set of business drivers related to the organisation’s business model and strategy. Once the board and executive have determined the business drivers, those few key determinants of success, these should then be used to define the organisational risk appetite.

Board involvement in setting and monitoring adherence to firms’ risk appetite and the presence of actionable elements that articulate firms’ intended responses in cases of breaches in limits are two key features highlighted by the Senior Supervisors Group in their report on the risk management lessons from the 2008 crisis.

A Risk Appetite Statement is a set a limits within which a company is allowed to operate. Any breach of those limits during the execution of the strategy must be reported to the Board that will either allow an exception or revise its risk appetite based on due justification, or take appropriate actions to reduce to risk exposure and realign the exposure of the business within its appetite. Manigent fully supports and helps his clients adhering to these good principles of corporate governance, widely recommended to the financial services industry.

Andrew Smart

To hear more from Manigent click here.

With thanks to Risk Management Magazine for publishing this piece. To subscribe to their Risk newsletter visit: http://www.riskmagazine.com.au/subscribe/newsletter/

The seven management disciplines of Risk-Based Performance Management (RBPM)

2012-01-09T20:20:55Z

Risk-Based Performance Management (RPBM) is a strategy execution and risk management methodology which is designed to enable organisations to drive sustainable strategic execution while ‘operating within appetite’. Core to RPBM is the understanding of ‘risk appetite’: that is the amount of risk that the organization is willing to, or is required to take in the pursuit of its strategic goals.

The approach incorporates and integrates seven management disciplines;

1. Strategy Management is about developing a clear sense of direction as to where the organization is going, how much risk it is willing or required to accept to get there, and what are the key opportunities and threats (risks) along the way. The direction which an organization has chosen to take can be expressed via a set of strategic objectives. Alongside defining the objectives, the organisational risk appetite should be defined. Integrating the definition of risk appetite with objective definition is the key process that links strategy and risk management: how much and what type of risk is an organization willing or required to run to achieve its objectives.

2. Performance Management is where strategic objectives are delivered either through executing day-to-day processes to a continuously improving level of performance or by undertaking a set of initiatives. Strategy execution is essentially achieved either by improving the way the organization is run or by changing the way it is run. The performance of processes should be monitored via associated key performance indicators (KPIs).

3. Risk Management is all about understanding threats and opportunities - the risks the organization faces in pursue of its objectives - and the continuous monitoring and management of those risks. One of the key ways that risks are managed is via an effective controls environment. Controls are the processes, policies, practices or other devices or actions designed to affect control over the risk. Key controls should be defined for each risk identified and the effectiveness of those controls regularly assessed.

4. Appetite Alignment is the process of continuously aligning current risk exposure to the defined risk appetite. It is about understanding if risk-taking is aligned to the chosen business strategy: i.e. are we operating within appetite. RBPM introduces a new management tool, called the Appetite Alignment Matrix which is designed to help organizations understand where they are ‘operating within appetite’.

5. Governance within the RBPM approach is based on the RACI framework. RACI is an acronym for Responsible, Accountable, Consult and Information and is used to clarify individual’s roles in the achievement of objectives and management of risks.

6. Communications is a critical enabler of successful change when an organization is setting out to take an integrated approach to strategy and risk management. For effective RBPM, the following five C’s of communications should be deployed;

Clarity
Credible
Concise
Context
Consistent

7. Culture is perhaps the ultimate strategy execution and risk management tool. We use the term a Strategy-focused, Risk-aware culture to describe the type of culture which has the dexterity to simultaneously remain focused on delivering a clear set of objectives while scanning broadly to identify the threats and opportunities which may help or hinder the achievement of those objectives. There are seven key characteristics of the Strategy-focused, Risk-aware culture;

Driven by a compelling vision
Live by a clear set of values
Led with integrity
Align risk-taking to strategy
Established clear accountabilities
Engage in high quality conversations
Incentives are aligned to appetite

Managing Business Risk - Risk-Based Performance Management Chapter

2011-12-12T21:54:26Z

The Risk-Based Performance Management methodology was again included in the IRM book, Managing Business Risk. The chapter is available for download here

Risk technology spending to hit $23 billion by 2013

2011-11-07T20:23:00Z

London – 7 November 2011: Compliance and integration to drive risk technology expenditure according to the sixth edition of Chartis Research’s RiskTech100® report.

"There is a quiet revolution taking place in the financial services industry, where the disciplines of risk and finance are converging," comments Peyman Mestchian, Managing Partner of Chartis Research. He says that it is characterized by better alignment of the CFO and CRO and is leading to a re-think of organizational structures, business processes and underlying technology architectures.

While Mestchian says that regulation continues to play a major role in driving demand for risk technology, he also points to a trend towards "value-based compliance" moving away from the traditional "tick box" mentality.

However, the technology does not come cheap and Chartis estimates that in the financial services sector alone organizations will spend over $23 billion in 2013. Much of the expenditure is driven by the proliferation of regulations such as Dodd Frank, Basel II, Basel III and Solvency II.M&A activity helped to improve the positions of some of the companies appearing in the RiskTech100® rankings. The top five places are occupied by IBM, SunGard, SAS, Oracle and Moody’s Analytics. Geographically, the list of top risk technology vendors is dominated by the US, with 50 companies, followed by the UK with 18 companies, France with seven and Canada with four.

"Risk technology vendors are responding to new market demands for robust, more cost effective integrated solutions, through continuous product innovation and integration," Mestchian adds.

About the RiskTech100®
The RiskTech100® is recognized globally as the most comprehensive and prestigious study of the top technology companies active in the risk management market and is available from www.chartis-research.com. RiskTech100® is a Registered Trade Mark of Chartis Research Limited

About Chartis Research
Chartis is the leading provider of research and analysis on the global market for risk technology. Its goal is to support enterprises as they drive business performance through better risk management, corporate governance and compliance. Chartis helps clients make informed technology and business decisions by providing in-depth analysis and actionable advice on virtually all aspects of risk technology. Chartis is authorized and regulated by the Financial Services Authority (FSA) for providing investment advice - (www.chartis-research.com).

Excellent Operational Risk Management training video

2011-10-26T11:48:55Z

Draft whitepaper–Embedding Risk Appetite within the Strategy process

2011-10-05T13:17:13Z

Recently I have been working on a white paper with James Creelman titled Embedding Risk Appetite within the Strategy process. While it will be available soon on the Manigent website, for readers of this blog and members of our Linkedin group, I am making a draft available.

Download the paper here

As always, I encourage comments or feedback – alternatively send me an email.

Risk management: Driving value from a long game approach

2011-09-26T07:49:28Z

Can a firm ever demonstrate the benefits from an improved approach to the management of risks?

This is the question that the Head of Operational Risk at HML sets out to answer in this blog post. Having worked with HML for a number of years now, it is great to see their risk management approach delivering such tangible benefits. I would encourage you to read and make a comment about this post.

UBS on Risk Management

2011-09-24T07:38:44Z

Risk is our business, I can assure you, as long as I’m here, as long as my colleagues are here, we do know about risks. If things do go wrong you won’t hear us saying we didn’t know it. Oswald Grübel, UBS’s chief executive, November, 2010

Warren Buffett on Risk Management

2011-09-24T07:34:17Z

Charlie [Munger, vice-chairman] and I believe that a CEO must not delegate risk control. It’s simply too important. At Berkshire, I both initiate and monitor every derivatives contract on our books . . . If Berkshire ever gets in trouble, it will be my fault. It will not be because of the misjudgments made by a risk committee or chief risk officer. Warren Buffett, 2009 letter to Berkshire Hathaway shareholders.