- Corporate Security
- Governance, Risk & Compliance
- Information Security
Governance, Risk and Compliance
By Resolver Modified April 14, 2021
Leadership often looks to their risk teams to help them gain a better understanding of new and emerging risks in order to make confident, strategic decisions within its risk appetite. This is especially true in times of crisis or uncertainty.
The reality is that things move so quickly and unfortunately, there is no crystal ball. A key part of this process is getting everyone on the same page, talking the same language, and using risk appetite statements. Risk statements that are clear, concise, and actionable is key to getting employees, customers, the Board of Directors, C-suite, investors and regulators aligned.
There are many misconceptions and challenges around the topic of risk appetites. A few of the most common ones that we’ve heard from customers include:
To dive deeper and answer the most pressing questions around this topic, we hosted a session with RIMS, Leeanne Barnes, Director of Enterprise and Operational Risk at Ontario Teachers’ Pension Plan, and Devi Mohan Das, Senior Manager of Risk Consulting at KPMG Canada. In this session, we focused on strategies to help risk teams:
This engaging, in-depth session raised excellent questions about risk appetite statements and practical use cases that attendees could apply in their organizations. We asked our panelists to continue the conversation and answer some of the most common questions that we received.
Leeanne Barnes: We think about Key Risk Indicators (KRIs) as metrics to monitor specific risks and tolerances. At Ontario Teachers’ Pension Plan, each KRI rolls up to support the broader risk appetite of the organization. A Risk Appetite Metric is usually much higher level, similar to monitoring an enterprise limit, as an example. The way that we have developed the taxonomy at Ontario Teachers’ Pension Plan is that KRIs are mid-level metrics to monitor various aspects of an enterprise risk. We establish tolerances (i.e. green, amber, red) to determine what is acceptable versus what is above tolerance for that specific metric. We try to leverage existing data to build these KRIs.
Leeanne Barnes: Great question, it is a big role. Policies ultimately reflect the amount of risk an organization is willing to accept, and adherence to the policies embed risk appetite in the organization. For example, if an organization has a very low risk appetite for the health and safety of their people, then their training policies, operational practices, and reporting would reflect that. Policies ultimately reflect the culture and the risk appetite of the organization. If those things are not aligned, then there will be a lot of work to do.
Leeanne Barnes: Assuming risk context is similar to a business environment assessment, it is a super important component to both your risk and strategy discussions. An organization needs to understand the context in which they are operating, and be able to answer the question “do we need to take more or less risk in certain cases to achieve our objectives and strategy?” Understanding the internal and external landscape is key.
Leeanne Barnes: Absolutely. Risk is not only about managing the downside, but also understanding and making decisions regarding the upside. A good example of this is disruptive technology. There may be risks based on an organization’s current platform, or there could be a competitive advantage as the organization undergoes modernization and harnesses that momentum to lead change and shake up the industry.
Leeanne Barnes: At Ontario Teachers’ Pension Plan we leverage the well-defined management governance structure to support risk acceptance. With defined roles and accountabilities as well as decision authorities, it is clear how risk is accepted or not. We do not have a separate framework; it is embedded into everything we do and at various levels. We also have escalation built into the governance framework in case we need more voices at the table.
Devi Mohan Das: Risk appetite and risk acceptance mechanisms should ideally be featured as key components of the organization’s overall ERM framework. Once the organization has identified and set their risk tolerance across their risk index, they can go on to consider their risk acceptance.
Leeanne Barnes: This is a great question, and one that we have spent a lot of time on over the past couple of years. First, be sure that you know the timing of the various discussions and make sure that the risk work is done in advance of the strategy work. This way, risk becomes an input into the overall strategy. Through Enterprise Risk Management we focus on the most important risks to achieving strategy, and work with the organization to determine priorities and potential shifts that we need to make. This allows us to validate the business environment which is a key input into strategy discussions. I would also suggest building strong relationships between the two teams.
Leeanne Barnes: Unfortunately, there isn’t a clear-cut answer to this. We leverage thought leaders to help in certain cases. It’s also helpful to gain insight from peers if the information is available or if you’re able to pull together a peer group. We recommend that you have a well understood Probability and Impact assessment scale, i.e. what are the risk categories and potential impacts the organization is most worried about? Understanding that can help to reinforce the risks that are most important to the organization and help to determine the Key Risk Indicators (KRIs) or metrics that you can leverage (internal and external data) to start monitoring the risk. KRIs are always evolving, so it will take time and you should expect to make adjustments along the way.
Devi Mohan Das: I definitely agree with Leanne. There is no one-size-fits-all solution on setting tolerances. It is very centric to the organization, strategic objectives, risk landscape, risk culture and risk maturity of the organization.
Devi Mohan Das: The 2008 global crisis provided several examples of how boards failed to set and oversee their company’s risk appetite and tolerance. Since then, we have seen regulators emphasizing their expectation of the boards to oversee the risks, which helps to ensure alignment with management on the amount of risk that organizations are willing to take and/or accept for specific risk types over a given time. In addition to regulatory compliance, boards can also gain early warning of the risks that the organization faces on its journey ahead.
Leeanne Barnes: I believe that the Board needs to be part of the risk management journey. It is helpful to share external learnings and incidents with Senior Management and the Board that can be found in media or in an incident database. These learnings can be used to figure out if your organization could also be exposed (or not) to such an event, and what the organization’s position is. I think the evolution of risk management is definitely about making sure the right information is getting to the right people, in a meaningful way, to help them make informed decisions. Using cyber as an example, there are a lot of people who might not be tech savvy, so bringing in external advisors or conducting internal assessments of the risks and potential exposures and clearly articulate the impacts is very helpful and eye opening. I find engaging in meaningful and easily understandable discussions goes a long way.
Regarding aligning Risk Appetite with Enterprise Risk Management, this should be done early on, at least at a high level. For us, it started with really understanding the risk categories, and risk impacts, both financial and non-financial. Defining your Probability and Impact scale and figuring out which boundaries are “green”, “amber”, and “red” can help articulate risk appetite through discussions with the senior leaders / executive team. It can also highlight where there may be some differences of opinion.
Leeanne Barnes: Culture is a very broad concept. I would suggest starting with some smaller ambitions through objectives that the organization agrees to on how you want to shift the “risk culture” of the organization. For instance, is it education that is needed? Every year, I pick two or three ambitions to focus on. Also, integrating risk into every discussion or decision can be super helpful. Making sure risk has a seat at the table is important.
Devi Mohan Das: KRIs are indicators or metrics that are used to measure risks that the business is exposed to.
While identifying KRIs, organizations must:
Devi Mohan Das: KRIs and KPIs are closely related in an ideal state. The KRIs should be traced to a KPI, and this would be linked to the organization’s strategic goal and objectives. This way organizations can maintain its focus on the “Top” risks.
Leeanne Barnes: We like to review our KRIs and tolerances regularly, at least annually, but as we learn and adjust.
Devi Mohan Das: Risk appetite should be reviewed annually, at the very least to ensure that the organization’s strategic objectives and business plans are consistent with the risk appetite.