The stewardship document obviously has some "comply or explain" regulatory relevance for UK readers, whereas the second is a phenomenally useful benchmarking tool to match up against your own board/executive/committee considerations of risk regardless of your jurisdiction.
The stewardship document then focuses more on reporting obligations, in particular Audit, and the associated consultation was triggered in Jan 2011. I was drawn to their findings on reporting "Strategy, Risk and Going Concern" which touch on communication of risk appetite, namely;
- "differing views as to whether it is either necessary or possible for a board to apply a single, aggregated definition of its appetite for risk as a whole"
- "when developing [the] strategy however, it is important for boards to agree their appetite or tolerance for individual key risks"
- "reporting on the company's risk appetite was felt to be difficult, even if it could be defined, as risk appetite is not constant but varies depending on market conditions
- Focus reporting primarily on strategic risks (as opposed to those which occur without company action) and
- Disclose such risks to business model and the strategy for implementing said model
- Not to "scatter" descriptions of the risks faced by the company throughout the document
The second document carried additional interest for me, bearing in mind it collates genuine opinion of the decision making bodies on their existing risk management obligations (and therefore could provide insight into future issues with Use Test evidence, ORSA processes and SFCR/RSR sign-offs). They reiterate that this is not guidance!
Obvious headline from this work is that the Turnbull Guidance will get a brush up in 2012, but I also picked out the following aspects;
- Risk Committee should not be obligatory for all industries
- Boards need to focus on risks that undermine strategy or long-term viability (i.e Reverse Stress Testing)
- The "velocity of risk" meant that reputational risk requires greater attention
- Essential that boards should focus on "gross" as well as "net" risk (inherent and residual in our lexicon)
- Challenge of determining whether a particular risk should be brought to the board's attention remains one of the greatest challenges
- Risk and Internal Audit should have clear reporting lines to board committees
- Investors are seeking "more meaningful reporting on risk", much like that prescribed earlier
- Risk categorisation terminology used is relatively crude (operational and strategic risks being the main distinction made)