I thought of this when looking through the IRM's risk appetite and tolerance paper released at the end of last week (separate post to follow incidentally, only so many hours in the day!), specifically whether there was anything being promoted/supported by the institute which may have averted this rather grim result for the boys from Berne.
6 IRM principles to start with;
- Risk appetite can be complex - don't try to dumb it down if it isn't justifiable
- Risk appetite needs to be measurable
- Risk appetite is not a single fixed concept
- Risk appetite should be developed in the context of an organisation's risk management capability
- Risk appetite must take into account views at strategic, tactical and operational level
- Risk appetite must be integrated with the control culture of the company
Some great quotes below from their website (highlights are for my benefit);
High Level – Risk Management and Internal Control
The [risk controls]framework is dynamic and continuously adapted as our businesses and the market environment evolve. It includes clearly defined processes to deal with new business initiatives as well as large and complex transactions.
Risk assessment and management oversight performed by the BOD considers evolving best practice and is intended to confirm to statutory requirements
Our risk appetite framework establishes risk appetite objectives in respect of earnings and capital levels that we seek to maintain, even after experiencing severe losses over a defined time horizon.
Our risk appetite is approved by the BoD. Risk appetite is based on our risk capacity, which is in turn based on our capital and forecasted earnings resources. Our overall risk appetite is set as an upper limit covering the aggregate risk exposure for each risk appetite objective, taking into account inherent limitations in the precision of risk exposure measures that focus on extreme market and economic events. Comparison of the firm's risk exposure with our risk capacity under prevailing operating conditions as well as prospective business plans serves as an input to the risk limit framework. This comparison is also a key tool to support management decisions on potential adjustments to the risk profile of our firm.
Management and risk committees are the governing bodies responsible for oversight and active discussion of risk management activities, including the question of whether or not the cost of mitigating actions is adequately balanced against the acceptable level of operational risk. Management, in all functions, is responsible for establishing an appropriate operational risk management environment, including the establishment and maintenance of robust internal controls and a strong risk culture.
Material operational risks and significant internal control deficiencies are identified and reported at least quarterly to stakeholders, including the BoD, GEB, divisional/regional/local management, Group Internal Audit, external auditors and regulators.
We have developed a model for the quantification of our operational risk, which meets the regulatory capital standard specified by the Basel II advanced measurement approach (AMA). Our model has two main components. The expected loss component is a statistical measure based on our own historical loss experiences (collected since 2002), and is used primarily to determine the expected loss portion of our capital requirement. The unexpected loss component is based on a set of generic scenarios representing categories of operational risks that are relevant to the firm. The scenarios are reviewed extensively on an annual basis by internal experts, using internal and external event information, information about the prevailing business environment and our own internal control environment. This component is used to determine the unexpected loss portion of our capital requirement.
Risk and Reward