Towers Watson - 'Risk Appetite revisited' (did we ever leave it?)

I have been doing a little work on Risk Appetite in the background recently, so was intrigued to have a read through this recent release by Towers Watson on the subject, seemingly targeted at North American and UK markets, but relevant to any practitioner in this space. Somehow I wasn't put off by p6 when, in response to the hypothetical question 'What is Risk Appetite', they responded with, "...we do not want to focus too much on the issue..."!

Appetite - second helpings?

I had blogged earlier this year on Risk Appetite, covering the expectations of EIOPA on the matter (which are few), as well as the more pokey/proddy stakeholders like the PRA/Central Bank of Ireland/S&P (which are several!), so the backdrop of risk appetite's practical significance to insurers doesn't need to be repeated here, more how consultants and practitioners are improving their game on the ground. Worth noting here that a few of the other consultancies have proffered their two cents on the matter over the last year or so (here, here, and here).

While interest in 'risk appetite' is currently piqued at governmental level thanks to the forensic examination of the banking industry's failings (multiple references in Parliamentary Commission evidence here and here for example), the driver of activity in the UK and Ireland is predominantly from the regulatory compliance perspective rather than expectations of bespoke, strategy-driving activity. In addition, we now see the emergence of Internal Audit as a party with a vested interest in the matter, which has the potential to draw the subject even more to a tidy, but ultimately superfluous documentation exercise.

With that in mind, Towers note that this paper is focused on "...enhancing risk appetite by improving its articulation, via clearer linkages to mission and strategy", and a rather derisive tone is therefore applied throughout regarding the familiar quantification methods preferred by regulators to monitor likelihood of insolvency in the next 12 months, giving equal billing to non-monetary capital and qualitative measurements. The paper also crosses some familiar ground, such as a lack of consistent terminology, which it tries to address (below).

Oddly, the document does not reference the FSB's thematic review of risk governance earlier this year, which will surely drive efforts in this space in the medium term, if only due to the paucity of certainty on the subject. That the FSB believe that regulators have "more work to do" is striking, and while they also bemoan the lack of common terminology, they don't let that prevent them from offering definitions of their own, as well as listing their "Key features" of a Risk Appetite Framework.

More obvious statements

• "..clearer linkages are needed to mission and strategy for risk appetite to be effective"
• "risk appetites must include boundary constraints"
• "We suggested that greater clarity around the definition of risk is needed..."

Definitions

• Risk - "In this context, risk should be defined in terms of those events and circumstances that may result in an insurer failing to deliver on its mission."
• Risk appetite - "...the manner in which a company expresses an identified set of risk-trading opportunities, and sets boundaries on its risk-trading among those opportunities, aligned with successfully delivering on its mission."
• Risk strategy - "The company’s risk strategy articulates how risk fits with the mission".
• Risk tolerance - "Risk tolerances are a quantitative extension of the risk strategy...risk tolerances must be measurable...[and] place quantitative boundaries on the company’s strategy"
• Risk limits - "Risk limits are more granular tolerance levels expressed for specific risk sources, business units, and/or products that are used to implement the risk tolerances."
• Risk appetite statement - "...risk appetite statements should be taken as the combination of risk strategy tolerances and preferences, bringing together qualitative and quantitative enterprise perspectives on risk as both opportunity and threat."
• Mission - "mission is the insurer’s unique multi-period and multi-stakeholder value creation proposition."

Technical suggestions

• They promote four facets of risk assessment: size, likelihood, impact and significance.
• For those working on statement content, they recommend "...since published mission statements can be fairly terse, the risk appetite may need to look beyond the explicit elements of the mission and consider elements that are implicit." Instinctively that feels unfair, but I guess the world of implicity is one for the second line to inhabit, while the first line concentrate on value-adding.
• Concept of adaptive buffers sits nicely with me - the most visceral ones being economic capital and reinsurance/hedging/liquidity facilities, but TW attempt to expand that over qualitative areas of the risk appetite statement
• Risk preference ranking of 0-4 depicted at the back is a handy schematic

Sore points

• "Some take the view that risk appetite can be expressed as a single metric, or perhaps a small set of metrics, that capture the organisation’s willingness and ability to bear risk." - that 'some' would include the FSB, COSO, the Central Bank of Ireland and the IRM, so I wouldn't be too sniffy at efforts to-date
• "Much of the work to-date on risk appetite statements has been driven by solvency supervision requirements, many statements tend to focus primarily on potential losses of capital"- a natural and by no means unwelcome by-product of having regulators in the box-seat, as opposed to stakeholders combining their efforts to establish compulsory risk appetite statement content?
• "While most insurers have, by now, developed risk appetite policy statements and discussed them with their boards, many have expressed dissatisfaction with the exercise" - that feels a rather loose statement, and if true says more about the personnel charged with performing the work.

I'll take a look at the diversity of definition in the risk appetite space across different bodies in a separate post - for now, just enjoy this tidy piece of work for what it is.

COSO - understanding and communicating Risk Appetite

Hot on the heels of materials pushed out on the Irish front from both the regulator and the consultancies, as well as the IRM's efforts in autumn of last year, COSO have stepped up to the plate with their take on understanding and communicating Risk Appetite, a topic which will be spectacularly relevant to insurers over 2012 for ORSA purposes, and indeed for anyone in and around the Irish Sea for corporate governance compliance reasons.

Having had a good sniff through, I struggled to find anything controversial in COSO's take on things, and, whether by accident or by design, it treads the same path as Richard Anderson's paper from the IRM.

The following quotes provide some of the more salient points made by the authors;

• "Risk appetite is the amount of risk, on a broad level, an organisation is willing to accept in pursuit of value" - not a bad way to think of it for an insurer (i.e. embedded value), though the 'broad level' add-on is unnecessarily and disconcertingly vague. This incidentally  runs against one of the IRM's key principles, namely that risk appetite must be measurable (p7).
• Authors believe that "...when properly communicated, risk appetite provides a boundary around the amount of risk an organisation might pursue" - without splitting hairs, the definition of risk appetite above isn't especially black and white!
• The three risk appetite steps of "Develop-Communicate-Monitor and update" are spot on, however, one might think that the "develop" piece is already done in most organisations (or why would the owners get up in the mornings?), and communicating it is the big issue.
• Should create a Risk Appetite Statement which is "broad enough yet descriptive enough for organisational units to manage risks consistently within it" - good point, as of course some departments of a business would struggle without such breadth in their appetite statement (business continuity and marketing spring to mind)
• Similarly, that statement should "balance brevity with the need for clarity"
• Confidently states that "we all know the costs of failing to manage risk", but dished out some pretty generic examples, bearing in mind the zingers which have pitched up over the last three years
• Exhibit 1 on considerations affecting risk appetite is a very smart schematic for provoking thought at executive level
• Box on p5 has a rather definitive statement around there being a lack of risk appetite articulation which contributed to the current financial crisis - certainly wasn't a problem at Lehman's, more that it was a moveable feast!
• Handy box on p7 which covers the tie-in between what rates as an "adequate" ERM Framework in the context of S&P's ratings methodology, and what management must be able to articulate on the Risk Appetite front.
• Some very nice examples (p8-10) of risk appetite statements from different industries, and of risk tolerance statements anchored to associated risk appetite statements (p13-14).
• The big one - differentiating Risk Appetite and Risk Tolerance - is on p11. Whether you agree with the COSO conclusion (i.e. that Risk Tolerances implement Risk Appetite within each operating unit's sphere of influence), it does at least try to square the circle, and the clarity should benefit practitioners. However, the statement "While Risk Appetite is broad, Risk Tolerance is tactical and operational" is poor - I'm guessing one could substitute "broad" for "strategic", or "tactical and operational" for "specific", and it makes sense.
•  Interesting list on p16 of questions to facilitate Board-level discussions on Risk Appetite which I suspect is probably too wordy for many Boards to throw themselves into wholeheartedly.
• Starts to peter out towards the end, which is normally the case with such guidance materials (once you start descending into 'performance models', communications strategies and risk culture, the ability to prescribe content and form to disparate organisations diminishes substantially).

Ultimately, while the document is of considerable use for anyone who needs a reputable crutch on the topic (and is perhaps outside of financial services), it is probably too generic to be of great use as an aide-memoire to any Solvency II-covered insurers, and I would stick with the IRM's take ("those risks that [an organisation] actively wants to engage with" when scripting a Risk Appetite Statement. 


Chapeau for the good parts nevertheless...