There is a navigational term called “dead reckoning.” It is taken from the period before radar and GPS. Back then, navigators used the sun and the stars to get from point A to point B, until point B got to within sight.
It worked as follows: Once you knew where you started, knew where you were going and knew your speed, you could use the sun and the stars to set your bearings and chart a course. There was always much uncertainty and large margins for error built into navigational estimates.
This is what board risk governance looks like today. Instrumentation is poor. Most available data is not current. It does not tell us where we are today. It is historic. It’s a bit like buying last month’s newspaper today. Interesting, useful, but not up to date.
In the board room solace, or concern, can be taken from management information. However very many non-executive directors are nervous. They know that they are getting old news. They know that they carry the same statutory obligations as their executive director colleagues but that the executive directors have the most up-to-date news.
The boardroom equivalent of the crow’s nest includes strategic and integrated reports as well as risk reports on what today are highly networked organizations. Organizations are no longer vertically integrated. Organizations no longer have jurisdiction or control over all of the non-financial activities (i.e. the operations) that drive business results. To make matters worse, we live in a hyper-connected, multispeed, uncertain world where multiple things can have multiple impacts on reputation and business operations.
In the boardroom, there is an awful lot more uncertainty than certainty.
What Nassim Nicholas Taleb has told us is his seminal, spine-chilling Black Swan and Antifragility is that not only are we buying yesterday’s news but that the news we are getting is hugely erroneous. He talks of the ludic fallacy, much of which is embedded in contemporary risk management practices.
What Taleb is also telling us is that discontinuity is the new norm. And that the organizations that will thrive in the future are the ones that will take their energy from that discontinuity.
But how is this to be done?
From 35,000 feet, it looks like integration of risk, strategy and decision-making processes.
At 500 feet, it looks like measurement of alignment (remember this is dead reckoning!) with both internal organizational and international proven and accepted guidelines linking risk, strategy and decision-making processes.
Can organizations move beyond dead reckoning and get better instrumentation? Absolutely! I will come back to this in a later post.
In the meantime, consider the prize:
Empirical evidence underpinning an assured calculation of:
Sustainability of current performance,
Enhancement of future performance,
Soundness of transformational strategies,
Management capability to defend reputation and operations under abnormal and adverse conditions,
This makes a difference when talking with credit raters, funders, investors, regulators and a whole swath of other stakeholders.
What’s the barrier to entry for organizations?
Is it cost? Not really.
Integration of board audit/risk/strategy committee(s)/terms of reference
A track record in seeking and receiving external attestations
a. The value of linking corporate objectives, strategies, governance and risk management decision making processes,
b. Setting organizational agility as a strategic imperative,
c. The need to integrate governance, risk and compliance roles, processes and key performance indicators (KPIs)
The immediate gains? Access to, and lower cost of, capital than your less capable competitors
The immediate benefits?
Increasing management’s understanding of strengths and areas for improvement in integrating risk, strategy and decision-making processes across the organization
Supporting implementation of the organization’s strategy through improved alignment of objectives with mission, vision and values of the organization
Achieving and maintaining abilities to make, and execute, decisions across the enterprise, and seamlessly shift direction (called organizational agility), when called to:
– Grasp opportunities,
– Increase performance,
– Avoid threats and risks.
In my next post, I will talk about how we can get from dead reckoning to up-to-date calculations of risk, strategy and decision-making process integration — at the pace of change!
This is Paper 5 of a series of five on the topic of risk appetite and associated questions. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards comprehend the links between risk and strategy. This is achieved either through painful and expensive crises or through the less expensive development of a risk appetite framework (RAF). Understanding of risk appetite is in our view very much a work in progress for many organizations, but RAF development and approval can lead boards to demand action from executives.
Paper 1 is the shortest paper and makes a number of general observations based on experience working with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. Paper 3 answers questions relating to the need for risk appetite frameworks and describes their relationship to strategy. Paper 4 answers further questions on risk appetite and goes into some detail on the questions of risk culture and risk maturity. This paper, Paper 5, describes the characteristics of a risk appetite statement and provides a detailed summary of how to operationalize the links between risk and strategy.
What are the characteristics of an effective risk appetite statement?
The purpose of a risk appetite statement (RAS) is to provide clear guidance to people, at all levels, of the ranges of risk within which they are required to operate in pursuit of objectives. An RAS exists within a risk appetite framework (RAF). The RAF is the ‘’overall approach including the policies, controls and systems, through which risk appetite is established, communicated and monitored.’’
As a particular RAS is devolved down through an organization, its content will change based on the intended recipients. For example, a RAS at:
Group executive level will be high level and inclined toward expressing appetite for risks to objectives that deliver value and increase performance. The RAS will describe objectives, risks, expected returns and control(s) requirements,
Middle management level will articulate levels of tolerance that, if breached, will require escalation and “circuit breaking” reports, with priority given to immediate interdictions and a review of internal controls,
Business unit level will be more detailed and inclined toward expressing risk limits and internal controls.
A RAS that is not explicit and clearly communicated has limited value. For this reason, a RAS exists within a compendium of (risk appetite) statements that take their root at the intersection between a particular group-level objective and its associated subsidiary objective(s).
The RAF, like the strategic plan, is explictly approved by the board. Properly crafted and implemented, it has powerful utility to directors in that the RAS approval process requires a series of linear RAF discussions. Wisely conducted, these discussions can result in a peeling back of the many layers of complexity associated with operational drivers and the business model. Independent, non-executive directors (INEDs), in particular, can find this immensely useful as most INEDs will typically only possess a relatively superficial understanding of the principal operational exigiencies that drive performance.
The RAF discussions will include discussions on:
Explictly stated objectives and where they reside on the risk appetite continuum,
The associated subsidiary objectives and where they reside on the risk appetite continuum,
First RAS drafts at group and subsidiary levels,
RAS approvals, once operational and business model implications are fully understood and satisfied.
RAF template headings:
RMI offers frequently used headings that we use in helping organizations develop their RAFs.
a. Large, privately held companies will have clearly established and communicated mission statements, etc.
b. For a large number of regulated entities in Ireland, this will reflect the goal set by the parent for the subsidiary,
c. For public companies, this will be reflected in the legislation establishing the entity,
2. Strategic initiatives:
a. Very many organizations will not have a board-approved, 10-15 year strategic plan. Rather, they will have business plans within which various strategic initiatives are either implied or explicitly stated,
b. The development of a strategic plan is outside of the scope of a RAF, but each document informs the other,
3. Board (risk committee) statement of risk assurance requirements: This is a prescriptive statement addressing a wide range of requirements and would include the following, among others:,
a. Objectives that are clearly articulated, aligned with strategy and performing to expectations,
b. Risks to objectives that are identified, assessed and evaluated against approved risk criteria,
c. Risk treatment plans that are executed efficiently and effectively, increasing the likelihood of achieving objectives,
4.Objectives: As discussed above,
5. Risk appetite continuum: five-level continuum against which company (group and subsidiary) objectives are mapped relative to appetites for risk (from very high to very low)
How can organizations ensure that RAFs are both actionable and measurable?
The RAF is to the board of directors what risk management is to the rest of the organization. As such, there is a direct correlation between the efficacy of the RAF and the efficacy of the risk management framework. Ensuring that RAFs are both actionable and measurable requires an understanding of how boards work in this particular context.
When RMI converses with board members and the executive, we share what we call the RMI “Tell me, Show me, Prove it to me” questions.
Questions will vary from company to company, but broad results in terms of an informal scoring that we would thereafter apply do not vary greatly.
Tell me: (Score: 3/10)
How you relate your strategic plan to critical objectives and their associated key performance indicators (KPIs),
About your board audit/risk charter,
Risk management framework.
We are told about external attestation (sometimes exemplary), policies, board committees and rich processes.
Show me: (Score: 5/10)
Your strategic plan/objectives statements,
Your risk register and how it links to objectives, KPIs and threats/risks to the enterprise,
Your risk appetite statements,
Your risk treatment plans,
Your top five contingency plans.
We find that most of these documents do not always exist and that the Excel spreadsheets, word documents and Power Points (invariably with differing formats for different parts of the organization) make no consistent reference to objectives, other than obliquely. In addition, we find that original risk reports are edited on multiple occasions as they travel from original risk owners to the executive and the board.
Prove to me that: (Score: 2/10)
Your risk register is not just a list of risks,
Top 10 risks are the real top 10,
Risk owners actually provide input to the flow of information and ultimately to the risk register,
Known issues and risks on the ground can be escalated to decision makers, without jeopardy to the originators of information,
Dynamic risks can be aggregated in real time and with confidence because of your data governance practices,
Your crisis management team (CMT) is developed and capable.
We find that risk data governance is so poor that answers to these questions can only be determined after manual searches over a number of days. This is compounded when, invariably, we also find that managers have not been adequately trained in the use of common language, risk management processes or board risk-assurance requirements. Furthermore, we find that ‘’risk culture’’ is such that people are disinclined to speak up with regard to matters giving them cause for concern lest they jeopardize relationships with colleagues and their next reports.
We therefore recommend that fundamental questions for the CEO and INEDS should include:
What demonstrable evidence do you have that your top five group risks are the right top five?
Can you monitor threats and risks to objectives in real time, and what kind of dynamic tests can you run on your red flags?
What proofs do you have that management is capable of switching from business as usual, to delivery of credible solutions to stakeholders under abnormal/adverse conditions?
Where are you in terms of risk maturity, and how do you know?
RMI also recommends the following framework, which summarizes how to ‘’Operationalize the links between Risk and Strategy,’’ ensuring that RAFs are measurable and actionable.
The framework is summarized as follows:
Reporting to the CEO:
Strategy/Risk Program Office reporting to the CEO and Board Audit/Risk Committee, with:
Focus 1: Defend operations, reputation, business model,
Focus 2: Exploit opportunities faster than less adaptive competitors.
2. Board Audit/Risk Committee:
Executing responsibilities with regard to risk in the manner described earlier in this paper and in particular as described in the RMI answer to the FAQ: “What are characteristics of an effective risk appetite statement?”
3. Data Governance: Putting System to Process:
Understanding the significance of integrating:
Executive and management (risk) training;
Inclusion of risk management KPIs in annual appraisals, and
Deployment of a database solution designed and specified to the ISO 31000 series
(Note: Lessons learned from the global financial crisis include that database solutions, by themselves, are not the solution. The adage, “poor information input, misinformation output,” is appropriate and reminds us that tools and techniques in the wrong hands can precipitate disaster.)
4. Library of Responses to Top 5-10 Threat/Opportunity Rehearsals
Seminal works that have been undertaken include:
1996: The Impact of Catastrophes on Shareholder Value: Rory F. Knight & Deborah J. Pretty, The Oxford Executive Research Briefings, Templeton College, University of Oxford, Oxford OX1 5NY, England.
What contributed to catastrophic failure?
Poor crisis management,
Failure to recognize the significance of the event early enough in the crisis,
Poor stakeholder communications, including with news and social media,
Lack of awareness of the potential for reputational damage,
Failure to appreciate the importance of transparency early enough,
Failure to learn from prior experience (even with the same company).
Have exceptional risk radar,
Build effective internal and external networks,
Review and adapt based on excellent communications,
Have the ability to respond rapidly and flexibly,
Have diversified resources.
These separate and unrelated studies similarly conclude that management’s capability to defend operations, the business model and reputation are mission-critical to sustainable performance in the 21st century
In conclusion, it is our view that operationalizing the links between risk and strategy in the manner outlined above will, with positive CEO and board endorsement, fulfill the role of the board as concluded by the Financial Reporting Council (FRC) report: Boards and Risk: A Summary of Discussions with Companies, Investors and Advisors, September 2011.
 Strategic plans and business plans without explicitly stated objectives have no meaning.
 Theoretically, objectives are devolved from group to subsidiary boards. In reality, what happens is that group and subsidiary executives and directors (the latter through respective risk committees) engage in operational discussions directed at ensuring understanding, thus increasing likelihood of success.
 Properly constructed risk treatments are the leading indicators of the future state of health of objectives. As such, risk treatments are at the cutting edge of the management of risks to objectives.
 Dr. Peter Drucker: ‘’ If it can’t be measured, it can’t be managed.” As with determination of leading indicators in balanced score cards, these can often be difficult to establish.
 CMTs are activated when issues and events that threaten to overpower operations, the business model or reputation arise.
This is Paper 4 in a series of five on risk appetite and associated questions. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards comprehend the links between risk and strategy. This is achieved either through painful crises or through the less expensive development of a risk appetite framework (RAF). Understanding of risk appetite is in our view very much a work in progress for many organizations, but RAF development and approval can lead boards to demand action from executives.
Paper 1, the shortest paper, makes a number of general observations based on experience in working with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. Paper 3 answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between risk appetite frameworks and strategy. This article, Paper 4, answers further questions on risk appetite and goes into some detail on the questions of risk culture and risk maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operate based on the links between risk and strategy.
How are risk appetite, risk tolerance and risk limits related to one another? A range of differences in philosophy are influencing the gradual determination of internationally accepted definitions. Notwithstanding, we recommend the definitions and the sequence of diagrams and explanations given in the Institute of Risk Management’s (IRM) guidance, which are
A number of models exist that seek to describe the relationship between risk appetite, tolerance and risk; for instance, the Ernest and Young Risk Pyramid below:
How are organizations using risk limits and risk tolerances around those limits? Our experience in working with clients shows that organizations are continuing to struggle with basic risk concepts, definitions, language, responsibilities, reporting and delivery. Accordingly, while risk limits are set to contain risk-taking practices, lack of common language and loose interpretation of concepts is causing confusion within organizations and leading to limits being seen as negotiable within the context of risk tolerances. As a corporate discipline, risk management is in its infancy, and the quality of risk practitioners is generally poor. Risk limits are perceived negatively by business practitioners, who use their limited knowledge of risk tolerances to argue for greater flexibility in applying limits.
How do organizations facilitate early warning of potential breaches of risk appetite? In practice, we find that there is limited facilitation. Rather, business people see the concept of risk as limiting practices that drive value and, thus, adopt the business school mantra of “seeking forgiveness rather than permission.” This is made easier in organizations where risk is seen as a nuisance and impediment to business and where appreciation of quality risk management is not apparent at senior levels. Business generators tend to view risk as friendly and flexible, designed to support business generation. Thus, risk limits are treated like speed limits on the public highway, more for observation than observance. Accordingly, we find few cases where early warnings are seen as anything other than flashing lights on the dashboard. In many cases, early warnings result in a case’s being presented to the risk committee for raising limits, rather than resulting in severe braking to ensure conformity in risk management.
Much of the foregoing represents the cultural challenge of embedding risk as a serious discipline rather than a faux science treated as an add-on. This reflects the nascent nature of risk management and its failure to be seen at board level as front and central to strategy and its effective and safe execution. Culture and “tone from the top” are critical here. So is strong support for risk executives at senior management level and an appreciation that risk management is akin to the medical profession, where hygiene is embedded in all procedures and provides a safe and secure means of conducting business, rather than being an impediment. The absence of good-quality risk officers and of universally accepted definitions of risk also undermine the discipline in organizations where there are few effective sanctions against limits being broken.
How do organizations assess risk culture? Optimal risk culture is designed and nurtured on building blocks practically described as blocks ABC:
The building blocks are briefly summarized as follows:
Training, values and beliefs, reporting and continuous improvement directed at outcomes driving attitudes displayed by people, which
Influence their behaviors and thus the quality of their discussions and decision making, thereby
Manifesting as demonstrably credible risk culture.
Other than retrospective analysis of poor risk culture following various corporate crises, there is a limited body of reliable knowledge, and experience, on assessing “existing risk culture” and successfully navigating to a “target risk culture.” The IRM’s “Risk Culture, Under the Microscope: Guidance for Boards” describes multiple interactions:
Diagnostic tools are available to track the components described within the framework above. In our experience, however, such is the poor state of risk maturity in very many organizations that they are not sufficiently advanced to practically determine how they might chart a course from the existing to the target state of risk culture.
In 2011, the Financial Reporting Council produced the report: “Boards and Risk: A Summary of Discussions with Companies, Investors and Advisors.” In the section on risk and control culture, the report said:
It was recognized that risk and control culture was one of the issues on which it was most difficult for boards to get assurance, although boards appeared to be making more efforts to do so.
The risk management and internal audit functions could play an important role, as could reports from and discussions with senior management, but some directors felt that there was no substitute for going on to the shop floor and seeing for themselves. It was otherwise very difficult to judge whether risk awareness was truly embedded or whether it was seen as a compliance exercise. This, in turn, assumed that non-executive directors had a sufficient understanding of the business, which some participants noted may not always be the case.
One common approach was to ensure that responsibility for managing specific risks was clearly allocated to individuals at all levels of the organization, with their performance measured and reflected in how they were rewarded.
In some companies, the remuneration committee had been given responsibility for considering how to align the company’s approach to risk and control with its remuneration and incentives. Examples were also given of the head of the risk management or internal audit function submitting reports to that committee, for example on how the company was performing against certain key risks, or being invited to comment on the details of proposed incentive schemes. More recently, the Financial Stability Board (FSB) in its “Peer Review Report on Risk Governance,” published in February 2013, identified ‘’business conduct’’ as a new risk category and said, “One of the key lessons from the crisis (GFC) was that reputational risk was severely underestimated; hence, there is more focus on business conduct and the suitability of products, e.g., the type of products sold and to whom they are sold. As the crisis showed, consumer products such as residential mortgage loans could become a source of financial instability.” In consulting and developing guidance for regulators, the FSB emphasizes the importance of risk culture as a principal influencer reducing the risk of misselling financial services products that can end up in the wrong hands with detrimental prospects for consumers in particular and society in general. Clearly, conduct risk is systemic, and inherently so when considered in the context of big data; that is to say, conduct risk is very unlikely to exist in isolation within an organization.
Separately, the FSB has articulated what it considers to be the foundation elements of a strong risk culture in its publications on risk governance, risk appetite and compensation. It has broken down the indicators into four parts, which need to be considered collectively and as mutually reinforcing. The four parts are:
Tone from the top: The board of directors and senior managers are the starting point for setting the financial institution’s core values and risk culture, and their behavior must reflect the values being espoused. The leadership of the institution should systematically develop, monitor and assess the culture of the financial institution.
Accountability: Successful risk management requires employees at all levels to understand the core values of the institution’s risk culture and its approach to risk, be capable of performing their prescribed roles and be aware that they are held accountable for their actions in relation to the institution’s risk-taking behavior. Staff acceptance of risk-related goals and related values is seen as essential.
Effective challenge: A sound risk culture promotes an environment of effective challenge in which decision-making processes promote a range of views, allow for testing of current practices and stimulate a positive, critical attitude among employees and an environment of open and constructive engagement.
Incentives: Performance and talent management should encourage and reinforce maintenance of the financial institution’s desired risk management behavior. Financial and non-financial incentives should support the core values and risk culture at all levels of the financial institution.
Clearly, there is consistency in thinking as to the importance of risk culture and its core attributes. Monitoring risk culture is, however, very challenging, indeed. To the particular question of communicating risk culture to stakeholders, we question whether this can be done credibly in the absence of finding proxies for attitudes and behaviors described in the ABC risk culture building blocks described above. Our experience tells us that risk maturity capability requirements are today well-understood, reliable and credible proxies for risk culture. On this basis, we recommend that organizations travel the better known road of “risk maturity,” for which there are a number of capable maturity models in existence.
We believe there to be a demonstrably credible correlation between full maturity (optimizing value through aligning risk and strategy with corporate objectives) and board ownership of the risk appetite framework, building resilience (defending operations, business model and reputation) and risk culture. The RMI Risk Maturity Index correlates:
Level of alignment of risks to strategy, objectives and execution,
Risk role affirmations at each maturity level,
Risk culture affirmations (practices confirmed by internal and external attestors),
Risk defense affirmations (practices confirmed by internal and external attestors),
Board and organizational processes, and
Value realized at three levels: a) the investor, b) the organization and c) stakeholders.
Progression from one level to the next requires a blend of internal and external independent attestations, which are facilitated with the aid of a database containing structured question sets. Risk maturity scores are weighted according to the:
Quality of answers provided to questions,
Availability of demonstrably credible evidence supporting answers,
Rigor and consistency of risk data,
We believe that risk maturity attestation by seasoned practitioners will provide evidence-based assurance as to organizational risk culture.
This is Paper 3 of a series of five on risk appetite and associated questions. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards comprehend the links between risk and strategy. This is achieved either through painful crises or through the less expensive development of a risk appetite framework (RAF). Understanding of risk appetite is very much a work in progress for many organizations, but RAF development and approval can lead boards to demand action from executives.
Paper 1, the shortest paper, makes a number of general observations based on experience with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. This paper, Paper 3, answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between risk appetite frameworks and strategy. Paper 4 answers further questions on risk appetite and goes into some detail on the questions of risk culture and risk maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operationalize the links between risk and strategy.
Paper 3: Should all organizations have a risk appetite framework?
The relationship between risk and strategy is a function or neither risk management nor strategic management. Rather, it is simply good management in an uncertain world, where business models are:
Increasingly driven to be available on a 24/7 global footprint,
Online using telecom networks,
Becoming more dependent on third-party service providers,
Becoming more connected within larger financial, supply chain and energy supply chains.
It is our view that the term “risk management” will, within the 2010 decade, become supplanted by the term “resilience management” and that the latter term will become an integral part of risk culture in organizations that are trading internationally or vulnerable to international supply chains.
Maintaining a risk appetite framework will thus, before the end of this decade, be a matter of necessity, and not a matter of choice. The driver in this regard will be the pace of change. Look at the pictures above, both at a papal blessing, and you see what a difference less than a decade years can make.
What is leading organizations to put formal risk appetite frameworks in place?
Greater investor and regulatory focus, combined with a recognition that risk practices are becoming increasingly professional, has caused organizations to change attitude toward risk from a broadly negative stance to a more positive and engaged approach.
We note a global scarcity of skilled chief risk officers and unwillingness by organizations to commit resources in the current economic climate. Nevertheless, enlightened organizations are gaining appreciation of the links between risk and strategy and in turn toward putting in place the necessary resources and supports to provide greater risk professionalism.
How are risk appetite and strategy related?
The diagram below describes the relationship.
Figure 2: RMI’s 7 elements approach to aligning strategy and risk
Earlier in these papers, we described board risk assurance as assurance that strategy, objectives and execution are aligned.
We further explained that alignment is achieved by operationalizing the links between risk and strategy. This is done by integrating each of the seven numbered elements described in the diagram above as follows:
1. Reaching a determination as to long-term purpose and formulating those strategic initiatives and objectives that are required to achieve it,
2. Understanding obstacles to the achievement of objectives: This needs to be understood practically in terms of a motor journey from say Dublin to Cork or Berlin to Paris.
Before the journey, people need to understand, and manage, what can stop them, slow them down or distract them on the journey. Once people understand risk management in these simple and practical terms, they understand that risk management is more about achieving objectives (getting from point A to point B) than compliance with regulations. It is about improving performance on the journey.
What people? In the simplest of terms, they are the owners of the car (shareholders represented by the board), the driver (CEO and executives) and passengers (primary stakeholders, i.e. customers, employees, investors, suppliers and secondary stakeholders and others with a legitimate interest in the business).
3. Setting objectives and getting balance and alignment (Note: strategy maps, e.g. Balanced Scorecard):
This is done in risk management terms by:
a. Strengthening the strategic planning process; for example:
i. Increasing rigor, formality and consistency in the strategic planning office (SPO), which derives its authority from the board and the CEO’s office,
ii. Aligning strategy, risk and audit board subcommittees (through cross-representation) in a manner that largely mirrors the conventional three lines of defense model and reflects the requirement to strengthen board risk oversight, reporting and monitoring,
iii. Embedding risk management competence within the SPO,
iv. Explicitly articulating corporate and organizational objectives,
v. Testing the alignment of group, corporate and organizational objectives through development and review of risk appetite statements.
b. Establishing an effective risk appetite framework, which includes:
i. Statement of purpose and values of the organization,
ii. Explicitly stated board risk assurance requirements; factors to consider would include:
Mapping objectives to a risk appetite continuum,
Qualitatively expressed risk appetite statements,
Quantitatively expressed risk criteria related to both risk tolerance and risk limits.
c. Understanding and improving the organizational level of risk maturity
Risk maturity is outside the scope of this paper; however, discussion on the topic would be welcomed by RMI. RMI has developed a five-level RMI Risk Maturity Index, which provides a road map to risk optimization. The index scores risk maturity capability requirements, etc. In summary, it describes:
Level 5: “Value-Driven” — Optimizing value through aligning risk and strategy with corporate objectives,
Level 4: “Managed” — Gaining value through aligning risk and strategy in pursuit of corporate objectives,
Level 3: “Insight” — Gaining insights into how to better align risk and strategy in pursuit of corporate objectives,
Level 2: “Awareness” — Developing awareness into how to align risk and strategy in pursuit of corporate objectives,
Level 1: “Basic” — Seeking awareness of the links of risk and strategy in pursuit of corporate objectives.
d. Building resilience:
i. Ensuring that the SPO engages in systematic risk horizon scanning as well as:
1. Understanding near misses and escalation reports in the organization and externally,
2. Monitoring performance of risk treatments,
3. Proofs and tests of the quality of decision making, and decision making processes, through simulated threat and opportunity crisis scenario(s) exercises,
4. Evaluating the amount of risk the organization is prepared to accept in pursuit of the long-term statement of purpose; and then deciding how to treat risks:
Just as implementation is critical to performance, risk treatment is at the cutting edge of risk management and managing risks!
Disappointingly, however, very many organizations commit disproportionate resources to risk assessment with inadequate attention paid to what really matters; that is,treating risks. In essence, very many organizations concentrate on the P in the PDCA (plan, do, check, act) cycle, with not enough attention paid to doing, checking and acting on continuous improvement requirements.
This is pretty much in evidence in a review of many of the risk registers we have examined on behalf of clients. The majority of the surface area/content of the report (sadly, and sometimes tragically, an Excel, Word or Power Point document, as distinct from a credible database solution) is given to risk assessment.
In our experience, often, precious little detail is given to:
Who, specifically is responsible for individual risk treatments,
Change management and resource requirements supporting risk treatments,
The project/risk treatment key performance indicators (KPIs), milestones and gateways,
The expected residual effect of risk treatments on likelihood and impact,
The role of management in reviewing performance against KPIs, milestones and gateways.
Risk treatment reports, which are presented to the level of detail described above and which are evaluated by the SPO in a manner that provides a feedback loop to the performance of objectives, become leading indicators of the future state of health of objectives.
5. Weighing the odds consistently throughout the organization: This is the function of the chief risk officer (CRO), a most important role within the organization, and risk committee.
The ability of the CRO and risk committee to efficiently and effectively perform this function is directly proportional to the efficacy of the assurances delivered as described above.
Typical weaknesses and challenges that can occur include:
1. Frequency of changes required to risk criteria (tolerances and limits) in early stage (risk) maturity organizations as a consequence of:
Pace of change internally and externally in the organization,
Identification of emerging and external risks hitherto not understood.
2. Inability to undertake real time dynamic tests of risk aggregations:
Around discrete objectives,
Across risk categories.
The weaknesses and challenges described above often result in:
1. Meetings where questions asked can only be answered in terms of:
i. This is the historic “point in time” information we have prepared.
ii. We will need to revert with answers to your query in X days.
2. Risk aggregation tests not being run and emerging/known unknown risks not being identified until there is an occurrence.
6. Compliance with laws and regulations: Organizations are established to achieve superior returns, with limited liability to risk takers. However, they are expected to do so having full regard for all legal requirements.
Clearly, it is axiomatic to assume the lawful intent of a company’s original promoters, and thereafter its directors and the executive. To this extent, compliance is an operational imperative and a sunken cost.
Compliance alone does not drive value, but without it value cannot be created.
It would seem inappropriate to place compliance at the center of board agenda, just as it would be a mistake to place compliance at the center of the diagram above, which describes the relationship between risk and strategy.
However, compliance is a mission-critical element within the risk/strategy governance framework.
7. Tough governance, setting policy and monitoring performance: In the context of the relationship between risk and strategy,tough governance means risk culture.
“Risk culture” is a term describing the values, belief, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organization or of teams or groups within an organization. This applies whether the organizations are private companies, public bodies or not-for profits, wherever they are in the world..
Risk culture, as an aspect of culture, can be practically described thus:
Culture: The way we do things around here!
Risk culture: The freedom we have to challenge around here!
Risk culture is capable of being demonstrably and credibly evidenced by:
1. Board and executive messaging on threats and risks to operations and jobs when people fail to act/report when they:
i. Identify a smarter way of completing a task, achieving an objective,
ii. See a threat or risk to the organization.
2. Escalation reports and their treatment by the executive and management,
3. Near misses reported and averted.
 Strategy formulation is not part of the development of risk appetite frameworks; however, each is intrinsic to, and informs, the other.
 IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Internal Control, January 2013
 Board Risk Oversight, A Progress Report: Where Boards of Directors Currently Stand in Executing Their Risk Oversight Responsibilities (Protiviti Report commissioned by COSO (Committee of Sponsoring Organizations of the Threadway Commission))
 NOTE: Risk Management and the Strategy Execution System by Robert S. Kaplan, which advances a method for aligning enterprise risk management with strategy through the Balanced Scorecard
 Effective reporting and monitoring of risk treatments delivers the twin benefits of 1) monitoring risk performance, and 2) establishing leading indicators on the future state of health of objectives
 Crisis is defined as: An inherently abnormal, unstable and complex situation that represents a threat to the strategic objectives, reputation or existence of an organization: PAS 200:2011 Crisis Management – Guidance and Good Practice, UK Cabinet Office in partnership with the British Standards Institute
 Reference Kaplan, Mikes Level 1 Global Enterprise Risks,
 McKinsey, August 2014, Why Implementation Matters: Good implementers—defined as companies where respondents reported top-quartile scores for their implementation capabilities—are 4.7 times more likely than bottom-quartile companies to say they ran successful change efforts over the past five years. Respondents at the good implementers also score their companies around 30% higher on a series of financial performance indexes. Perhaps most important, the good-implementer respondents say their companies sustained twice the value from their prioritized opportunities two years after the change efforts ended, compared with those at poor implementers
 Functionally designed and specified to meet the ISO 31000 series
 Institute of Risk Management (IRM) , Risk Culture, Under the Microscope: Guidance for Boards
 Speak up/Stand up/Ethics Line/Whistleblower Lines etc.
This is part two of a series of five on the topic of risk appetite and its associated FAQs.
The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized in terms of their comprehension of the links between risk and strategy. This is achieved either through painful and expensive crises or through the less expensive development of a risk appetite framework (RAF). Understanding risk appetite is very much a work in progress for many organizations. The first article made a number of observations of a general nature based on experience in working with a wide variety of companies. This article describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management.
The Risk Landscape
Lessons learned following the great financial crisis (GFC) include the importance of establishing an effective risk governance framework at the board level. In essence, two key questions must now be addressed by boards.
First, do boards express clearly and comprehensively the extent of their willingness to take risk to meet their strategic and business objectives? Second, do they explicitly articulate risks that have the potential to threaten their operations, business model and reputation?
To be in a position to provide credible answers to these fundamental questions, we must first seek to understand the relationship between risk and strategy.
It is RMI’s experience that risk and strategy are intertwined. One does not exist without the other, and they must be considered together. Such consideration needs to take place throughout the execution of strategy. Consequently, it is vital that due regard is given to risk appetite when strategy is being formulated1
Crucially, risk is now defined as “the effect of uncertainty on objectives.”2
It is clear, therefore, that effective corporate governance is strategy- and objective-setting on the one hand, and superior execution with due regard for risks on the other. This particular landscape is what we in RMI refer to as the interpolation of risk and strategy. For this reason, RMI describes board risk assurance as assurance that strategy, objectives and execution are aligned. Alignment is achieved through operationalization of the links between risk and strategy, which will be described in the final article in this series.
Before further discussion, however, we would like to draw attention to observations based on our practical experience that give cause for concern, namely:
1. Risk appetite: While we now have a globally accepted risk management standard3 and sharper regulatory definition of effective risk management for regulated organizations, there is as yet much confusion, and neither a consensus nor an internationally accepted guidance, as to the attributes of an effective risk appetite framework.
2. Risk reporting: In relation to risk reporting, two significant matters arise:
Risk registers that are primarily generated on the basis of a compliance-centric requirement, as distinct from an objectives-centric4 approach, tend to contain lists of risks that are not explicitly associated with objectives. As such, they offer little value in terms of reporting on risk performance.
Note: RMI supports the adoption of a board-driven, objectives-centric approach5 to reporting and monitoring risks to operations, the business model and reputation.
Risk registers and other reporting tools detail known risks and what we know we know. They tend not to detail emerging or high-velocity risks that have the potential to threaten the business model. As such they tend to be of limited value in terms of reporting or monitoring either unknown knowns6, or unknown unknown7 risks. This is a matter that should give boards cause for concern given pace of change, hyper-connectivity and the disruptive nature of new technologies.
3. Risk data governance: The quality, rigor and consistency in application of accounting data that is present in well-managed organizations does not equally exist in those same organizations in the risk domain.
The responsibility of directors to use reliable accounting information and apply controls over assets, etc. (internal controls) as part of their legally mandated role extends equally to information pertaining to risks that threaten financial performance. The latter is not, however, treated in an equivalent fashion to accounting data. Whereas the integrity of accounting data is assured through the use of proven and accepted accounting systems subject to audit, information pertaining to risks typically relies on the use of disparate Excel spreadsheets, word documents and Power Points with weak controls over the efficacy of copying and pasting of data from one level of report to another.
Weaknesses and failings in risk data governance can be addressed in much the same way as for other governance requirements.
a. Comprehensive training for business line managers and supervisors on:
(Risk) Management Processes,
Board (Risk) Assurance Requirements
b. Performance in executing (risk) management roles and responsibilities included in annual performance appraisals,
c. System8 put to process through the use of database/work flow solutions, providing an evidence basis of assurance that:
The quality, timing, accessibility and auditability of risk performance data is as rigorously and consistently applied as that for accounting data,
Dynamic management of risk data (including risk appetite/tolerance/criteria) can be tracked at the pace of change
Tests can be applied to the aggregation of risks to objectives at the pace of change and prompt interdictions applied when required,
Reports, or notification, of significant risks are escalated without delay, and without risk to the originator of information.
4. Lack of understanding of the nature of the risks that need to be mastered in the boardroom:
Going back to our definition of risk as the effect of uncertainty on objectives: There are many types of objectives — for example, economic, financial, political, regulatory, operational, customer service, product innovation, market share, health safety, etc. — and there are multiple categories of risk. But what is uncertainty?
Uncertainty9 is the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or its likelihood.
There are essentially two kinds of uncertainty:
1. Measurable uncertainties: These are inherently insurable because they occur independently (for example, traffic accidents, house fires, etc.) and with sufficient frequency as to be reckonable using traditional statistical methods.
Measurable uncertainties are treated individually through traditional (risk) management supervision, and residually through insurance.
Measurable uncertainties are funded out of operating profits.
2. Unmeasurable uncertainties: These are inherently un-insurable using traditional methods because of the paucity of reliable data. For example, whereas we can observe multiple supply chain and service interruptions, data breaches, etc. they are not sufficiently similar or comparable to be soundly put to a probability distribution and statistically analyzed.
Un-measurable uncertainties are treated on a broad basis through organizational resilience. For the top 5-15 corporate risks10 that are typically inestimable in terms of likelihood of occurrence, the organization seeks to maintain an ability to absorb and respond to shocks and surprises and to deliver credible solutions before reputation is damaged and stakeholders lose confidence.
Un-measurable uncertainties are funded out of the balance sheet.
The hyper-connected and multispeed world in which we live today has driven the effect of un-measurable uncertainties on company objectives to unprecedented, heights, and so amplified the risk potential enormously.
5. Urgent need to recognize the mission-critical importance of building and preparing management to always be prepared to offer credible solutions in the face of unexpected shocks and surprises Figure 1 below describes the evolution of risk management as depicted within the red dotted line11 and the next stage of the evolution (resilience) as envisioned by RMI.
Figure 1: Evolution of risk and the emergence of “resilience” as the current era in the evolution of 21st century understanding of risk
Resilience was the theme that ran through the World Economic Forum: Global Risks 2013, Eight Edition Report. Resilience was described as capability to
Adapt to changing contexts,
Withstand sudden shocks, and
Recover to a desired equilibrium, either the previous one or a new one, while preserving the continuity of operations.
The three elements in this definition encompass both recoverability (the capacity for speedy recovery after a crisis) and adaptability (timely adaptation in response to a changing environment).
The Global Risks 2013 Report emphasized that global risks do not fit neatly into existing conceptual frameworks but that this is changing insofar as the Harvard Business Review (Kaplan and Mikes12) recently published a concise and practical taxonomy that may also be used to consider global risks13.
The report advises that building resilience against external risks is of paramount importance and alerts directors to the importance of scanning a wider risk horizon than that normally scoped in risk frameworks.
When considering external risks, directors need to be cognizant of the growing awareness and understanding of the importance of emerging risks.
Emerging risks can be internal as well as external, particularly given growing trends in outsourcing core functions and processes.
It is also interesting to observe the diversity in understanding of emerging risk definitions. For example:
Lloyds: An issue that is perceived to be potentially significant but that may not be fully understood or allowed for in insurance terms and conditions, pricing, reserving or capital setting,
PWC: Those large-scale events or circumstances beyond one’s direct capacity to control, that have impact in ways difficult to imagine today,
S&P: Risks that do not currently exist,
The 2014 annual Emerging Risks Survey (a poll of more than 200 risk managers predominantly based at North American re/insurance companies) reported the top five emerging risks as follows:
Financial volatility (24% of respondents)
Cyber security/interconnectedness of infrastructure (14%)
Liability regimes/regulatory framework (10%)
Blowup in asset prices (8%)
Chinese economic hard landing (6%)
Maintaining business defense systems capable of defending the business model has become an additional fiduciary requirement for the board, alongside succession planning and setting strategic direction15.
1 Influenced by COSO (Committee of Sponsoring Organizations of the Threadway Commission, Enterprise Risk Management (ERM) Understanding and Communicating Risk Appetite, by Dr. Larry Rittenberg and Frank Martens
2 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard.
3 The new globally accepted risk management standard (ISO 31000) is not intended for the purposes of certification. Rather, it contains guidance as to risk-management principles, a framework and risk management process that can be applied to any organization, part of an organization or project, etc. As such, it provides an overarching context for the application of domain-specific risk standards and regulations — for example, Solvency II, environmental risk, supply chain risks, etc.
4 Risk Communication Aligning the Board and C-Suite: Exhibit 1 Top Challenges of Board and Management Risk Communication by Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD) and Oliver Wyman
5 The Conference Board Governance Centre, Risk Oversight: Evolving Expectations of Board, by Parveen P. Gupta and Tim J Leech
6 An unknown known risk is one that is known, and understood, at one level (e.g. typically top, middle, lower level management) in an organization but not known at the leadership and governance levels (i.e. executive and board levels)
7An unknown unknown risk is a so called black-swan (The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb)
8 Specified to the ISO 31000 series
9 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard
10 More than 80% of volatility in earnings and financial results comes from the top 10 to 15 high-impact risks facing a company: Risk Communication Aligning the Board and C-Suite, by the Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD), and Oliver Wyman
11 Source: Institute of Management Accountants, Statements on Management Accounting, Enterprise Risk Management : Frameworks, Elements and Integration
12 Managing Risks: A New Framework
13 Kaplan and Mikes’ third category of risk is termed “external” risks, but the Global Risk 2013 report refers to them as “global risks.” They are complex and go beyond a company’s scope to manage and mitigate (i.e. they are exogenous in nature).
14 Audit and Risk, 21 July 2014, Matt Taylor, Protiviti UK,
15 The Financial Reporting Council has determined that it will integrate its current guidance on going concern and risk management and internal control and make some associated revisions to the UK Corporate Governance Code (expected in 2014). It is expected that emphasis will be placed on the board’s making a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy, including solvency and liquidity risks. In making that assessment, the board will be expected to consider the likelihood and impact of these risks materializing in the short and longer term;