- Group executive level will be high level and inclined toward expressing appetite for risks to objectives that deliver value and increase performance. The RAS will describe objectives, risks, expected returns and control(s) requirements,
- Middle management level will articulate levels of tolerance that, if breached, will require escalation and "circuit breaking" reports, with priority given to immediate interdictions and a review of internal controls,
- Business unit level will be more detailed and inclined toward expressing risk limits and internal controls.
- Explictly stated objectives and where they reside on the risk appetite continuum,
- The associated subsidiary objectives and where they reside on the risk appetite continuum,
- First RAS drafts at group and subsidiary levels,
- RAS approvals, once operational and business model implications are fully understood and satisfied.
a. Large, privately held companies will have clearly established and communicated mission statements, etc.
b. For a large number of regulated entities in Ireland, this will reflect the goal set by the parent for the subsidiary,
c. For public companies, this will be reflected in the legislation establishing the entity,2. Strategic initiatives:
a. Very many organizations will not have a board-approved, 10-15 year strategic plan. Rather, they will have business plans within which various strategic initiatives are either implied or explicitly stated,
b. The development of a strategic plan is outside of the scope of a RAF, but each document informs the other,3. Board (risk committee) statement of risk assurance requirements: This is a prescriptive statement addressing a wide range of requirements and would include the following, among others:,
a. Objectives that are clearly articulated, aligned with strategy and performing to expectations,
b. Risks to objectives that are identified, assessed and evaluated against approved risk criteria,
c. Risk treatment plans that are executed efficiently and effectively, increasing the likelihood of achieving objectives,4.Objectives: As discussed above, 5. Risk appetite continuum: five-level continuum against which company (group and subsidiary) objectives are mapped relative to appetites for risk (from very high to very low) 6. Risk appetite statements:
a. Overall group RAS
b. Objectives level RASs’
c. Risk treatment level RASs’7. Risk criteria tables (risk tolerances and limits)
a. Five levels (substantial, down to negligible impacts),
b. Measurable risk limits
c. Measurable risk tolerances.How can organizations ensure that RAFs are both actionable and measurable? The RAF is to the board of directors what risk management is to the rest of the organization. As such, there is a direct correlation between the efficacy of the RAF and the efficacy of the risk management framework. Ensuring that RAFs are both actionable and measurable requires an understanding of how boards work in this particular context. When RMI converses with board members and the executive, we share what we call the RMI "Tell me, Show me, Prove it to me" questions. Questions will vary from company to company, but broad results in terms of an informal scoring that we would thereafter apply do not vary greatly. For example:
- Tell me: (Score: 3/10)
- How you relate your strategic plan to critical objectives and their associated key performance indicators (KPIs),
- About your board audit/risk charter,
- Risk management framework.
- Show me: (Score: 5/10)
- Your strategic plan/objectives statements,
- Your risk register and how it links to objectives, KPIs and threats/risks to the enterprise,
- Your risk appetite statements,
- Your risk treatment plans,
- Your top five contingency plans.
- Prove to me that: (Score: 2/10)
- Your risk register is not just a list of risks,
- Top 10 risks are the real top 10,
- Risk owners actually provide input to the flow of information and ultimately to the risk register,
- Known issues and risks on the ground can be escalated to decision makers, without jeopardy to the originators of information,
- Dynamic risks can be aggregated in real time and with confidence because of your data governance practices,
- Your crisis management team (CMT) is developed and capable.
- What demonstrable evidence do you have that your top five group risks are the right top five?
- Can you monitor threats and risks to objectives in real time, and what kind of dynamic tests can you run on your red flags?
- What proofs do you have that management is capable of switching from business as usual, to delivery of credible solutions to stakeholders under abnormal/adverse conditions?
- Where are you in terms of risk maturity, and how do you know?
- Reporting to the CEO:
- Focus 1: Defend operations, reputation, business model,
- Focus 2: Exploit opportunities faster than less adaptive competitors.
- Executive and management (risk) training;
- Inclusion of risk management KPIs in annual appraisals, and
- Deployment of a database solution designed and specified to the ISO 31000 series
- 1996: The Impact of Catastrophes on Shareholder Value: Rory F. Knight & Deborah J. Pretty, The Oxford Executive Research Briefings, Templeton College, University of Oxford, Oxford OX1 5NY, England.
- Poor crisis management,
- Failure to recognize the significance of the event early enough in the crisis,
- Poor stakeholder communications, including with news and social media,
- Lack of awareness of the potential for reputational damage,
- Failure to appreciate the importance of transparency early enough,
- Failure to learn from prior experience (even with the same company).
- Have exceptional risk radar,
- Build effective internal and external networks,
- Review and adapt based on excellent communications,
- Have the ability to respond rapidly and flexibly,
- Have diversified resources.