Having had a good sniff through, I struggled to find anything controversial in COSO's take on things, and, whether by accident or by design, it treads the same path as Richard Anderson's paper from the IRM.
The following quotes provide some of the more salient points made by the authors;
- "Risk appetite is the amount of risk, on a broad level, an organisation is willing to accept in pursuit of value" - not a bad way to think of it for an insurer (i.e. embedded value), though the 'broad level' add-on is unnecessarily and disconcertingly vague. This incidentally runs against one of the IRM's key principles, namely that risk appetite must be measurable (p7).
- Authors believe that "...when properly communicated, risk appetite provides a boundary around the amount of risk an organisation might pursue" - without splitting hairs, the definition of risk appetite above isn't especially black and white!
- The three risk appetite steps of "Develop-Communicate-Monitor and update" are spot on, however, one might think that the "develop" piece is already done in most organisations (or why would the owners get up in the mornings?), and communicating it is the big issue.
- Should create a Risk Appetite Statement which is "broad enough yet descriptive enough for organisational units to manage risks consistently within it" - good point, as of course some departments of a business would struggle without such breadth in their appetite statement (business continuity and marketing spring to mind)
- Similarly, that statement should "balance brevity with the need for clarity"
- Confidently states that "we all know the costs of failing to manage risk", but dished out some pretty generic examples, bearing in mind the zingers which have pitched up over the last three years
- Exhibit 1 on considerations affecting risk appetite is a very smart schematic for provoking thought at executive level
- Box on p5 has a rather definitive statement around there being a lack of risk appetite articulation which contributed to the current financial crisis - certainly wasn't a problem at Lehman's, more that it was a moveable feast!
- Handy box on p7 which covers the tie-in between what rates as an "adequate" ERM Framework in the context of S&P's ratings methodology, and what management must be able to articulate on the Risk Appetite front.
- Some very nice examples (p8-10) of risk appetite statements from different industries, and of risk tolerance statements anchored to associated risk appetite statements (p13-14).
- The big one - differentiating Risk Appetite and Risk Tolerance - is on p11. Whether you agree with the COSO conclusion (i.e. that Risk Tolerances implement Risk Appetite within each operating unit's sphere of influence), it does at least try to square the circle, and the clarity should benefit practitioners. However, the statement "While Risk Appetite is broad, Risk Tolerance is tactical and operational" is poor - I'm guessing one could substitute "broad" for "strategic", or "tactical and operational" for "specific", and it makes sense.
- Interesting list on p16 of questions to facilitate Board-level discussions on Risk Appetite which I suspect is probably too wordy for many Boards to throw themselves into wholeheartedly.
- Starts to peter out towards the end, which is normally the case with such guidance materials (once you start descending into 'performance models', communications strategies and risk culture, the ability to prescribe content and form to disparate organisations diminishes substantially).
Ultimately, while the document is of considerable use for anyone who needs a reputable crutch on the topic (and is perhaps outside of financial services), it is probably too generic to be of great use as an aide-memoire to any Solvency II-covered insurers, and I would stick with the IRM's take ("those risks that [an organisation] actively wants to engage with" when scripting a Risk Appetite Statement.
Chapeau for the good parts nevertheless...