We can know, looking back at last year, how much risk an insurer was exposed to. And we can simply look at the balance sheet to see how much capital they held. So that is the way we have tended to look at solvency. Backwards. Was the insurer solvent at the end of last year? Not really useful information. Unless…
Unless you make an assumption about the future. Not an unusual assumption. Just the common assumption that the future will be like the past.
That assumption is usually okay. Let’s see. In the past 15 years, it has been correct four or five times. But is that record good enough for solvency work — a system that might give the right answer a third of the time?!
There is a solution. Regulators have led us right up to that solution but haven’t yet dared to say what it is. Perhaps they do not know, or even are not thinking that the backward looking problem has two aspects. We are making two heroic assumptions:
We are assuming that the environment will be the same in the near future as it was in the recent past.
We are assuming that the company activity will be the same in the near future as it was in the recent past.
The regulatory solution based on these two shaky assumptions is:
A look forward using company plans
Solution 1 can help, but solution 2 can be significantly improved by using the enterprise risk management (ERM) program and risk appetite.
You may have noticed that regulators have all said that ERM is very important. And that risk appetite is a very, very important part of ERM. But regulators have never, ever, explained why understanding risk appetite is important.
Well, the true answer is that it can be important. It can be the solution to one part of the backward-looking problem. The idea of looking forward with company plans is a step in the right direction. But only a half step. The full solution is the Full Limits Stress Test.
That test looks forward to see how the company will operate based on the risk appetite and limits that management has set. ERM and risk appetite provide a specific vision of how much risk is allowed by management and the board. The plan represents a target, but the risk appetite represents the most risk that the company is willing to take.
So the Full Limits Stress Test would involve looking at the company with the assumption that it chooses to take the full amount of risk that the ERM program allows. That can then be combined with the stress scenarios regarding the external environment.
Now, the Full Limits Stress Test will only actually use the risk appetite for firms that have a risk appetite and an ERM program that clearly functions to maintain the risk of the firm within the risk appetite. For firms that do not have such a system in place, the Full Limits Stress Test needs to substitute some large amount of growth of risk, because that is what industry experience tells us can happen to a firm that has gone partially or fully out of control with regard to its risk taking.
The connection between ERM and solvency becomes very substantial and realistic:
A firm with a good risk management program and tight limits and overall risk appetite will need the amount of capital that would support the planned functioning of the ERM program. The overall risk appetite will place a limit on the degree to which all individual risk limits can be reached at the same time.
An otherwise similar firm with a risk management program and loose risk appetite will need to hold more capital.
A similar firm with individual risk limits but no overall risk appetite will need to hold capital to support activity at the limit for every single risk.
A firm without a risk management program will need to hold capital to support the risks that history tells us that a firm with uncontrolled growth of risk might take on in a year. A track record of informal control of risk growth cannot be used as a predictor of the range of future performance. (It may be valuable to ask all firms to look at an uncontrolled growth scenario, as well, but firms with a good risk control process will be considered to have prepared for that scenario with their ERM program.)
A firm without any real discipline of its risk management system will be treated similarly to a firm without an ERM program.
With this Full Limits Stress Test, ERM programs will then be fully and directly connected to solvency in an appropriate manner.
This is part two of a series of five on the topic of risk appetite and its associated FAQs.
The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized in terms of their comprehension of the links between risk and strategy. This is achieved either through painful and expensive crises or through the less expensive development of a risk appetite framework (RAF). Understanding risk appetite is very much a work in progress for many organizations. The first article made a number of observations of a general nature based on experience in working with a wide variety of companies. This article describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management.
The Risk Landscape
Lessons learned following the great financial crisis (GFC) include the importance of establishing an effective risk governance framework at the board level. In essence, two key questions must now be addressed by boards.
First, do boards express clearly and comprehensively the extent of their willingness to take risk to meet their strategic and business objectives? Second, do they explicitly articulate risks that have the potential to threaten their operations, business model and reputation?
To be in a position to provide credible answers to these fundamental questions, we must first seek to understand the relationship between risk and strategy.
It is RMI’s experience that risk and strategy are intertwined. One does not exist without the other, and they must be considered together. Such consideration needs to take place throughout the execution of strategy. Consequently, it is vital that due regard is given to risk appetite when strategy is being formulated1
Crucially, risk is now defined as “the effect of uncertainty on objectives.”2
It is clear, therefore, that effective corporate governance is strategy- and objective-setting on the one hand, and superior execution with due regard for risks on the other. This particular landscape is what we in RMI refer to as the interpolation of risk and strategy. For this reason, RMI describes board risk assurance as assurance that strategy, objectives and execution are aligned. Alignment is achieved through operationalization of the links between risk and strategy, which will be described in the final article in this series.
Before further discussion, however, we would like to draw attention to observations based on our practical experience that give cause for concern, namely:
1. Risk appetite: While we now have a globally accepted risk management standard3 and sharper regulatory definition of effective risk management for regulated organizations, there is as yet much confusion, and neither a consensus nor an internationally accepted guidance, as to the attributes of an effective risk appetite framework.
2. Risk reporting: In relation to risk reporting, two significant matters arise:
Risk registers that are primarily generated on the basis of a compliance-centric requirement, as distinct from an objectives-centric4 approach, tend to contain lists of risks that are not explicitly associated with objectives. As such, they offer little value in terms of reporting on risk performance.
Note: RMI supports the adoption of a board-driven, objectives-centric approach5 to reporting and monitoring risks to operations, the business model and reputation.
Risk registers and other reporting tools detail known risks and what we know we know. They tend not to detail emerging or high-velocity risks that have the potential to threaten the business model. As such they tend to be of limited value in terms of reporting or monitoring either unknown knowns6, or unknown unknown7 risks. This is a matter that should give boards cause for concern given pace of change, hyper-connectivity and the disruptive nature of new technologies.
3. Risk data governance: The quality, rigor and consistency in application of accounting data that is present in well-managed organizations does not equally exist in those same organizations in the risk domain.
The responsibility of directors to use reliable accounting information and apply controls over assets, etc. (internal controls) as part of their legally mandated role extends equally to information pertaining to risks that threaten financial performance. The latter is not, however, treated in an equivalent fashion to accounting data. Whereas the integrity of accounting data is assured through the use of proven and accepted accounting systems subject to audit, information pertaining to risks typically relies on the use of disparate Excel spreadsheets, word documents and Power Points with weak controls over the efficacy of copying and pasting of data from one level of report to another.
Weaknesses and failings in risk data governance can be addressed in much the same way as for other governance requirements.
a. Comprehensive training for business line managers and supervisors on:
(Risk) Management Processes,
Board (Risk) Assurance Requirements
b. Performance in executing (risk) management roles and responsibilities included in annual performance appraisals,
c. System8 put to process through the use of database/work flow solutions, providing an evidence basis of assurance that:
The quality, timing, accessibility and auditability of risk performance data is as rigorously and consistently applied as that for accounting data,
Dynamic management of risk data (including risk appetite/tolerance/criteria) can be tracked at the pace of change
Tests can be applied to the aggregation of risks to objectives at the pace of change and prompt interdictions applied when required,
Reports, or notification, of significant risks are escalated without delay, and without risk to the originator of information.
4. Lack of understanding of the nature of the risks that need to be mastered in the boardroom:
Going back to our definition of risk as the effect of uncertainty on objectives: There are many types of objectives — for example, economic, financial, political, regulatory, operational, customer service, product innovation, market share, health safety, etc. — and there are multiple categories of risk. But what is uncertainty?
Uncertainty9 is the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or its likelihood.
There are essentially two kinds of uncertainty:
1. Measurable uncertainties: These are inherently insurable because they occur independently (for example, traffic accidents, house fires, etc.) and with sufficient frequency as to be reckonable using traditional statistical methods.
Measurable uncertainties are treated individually through traditional (risk) management supervision, and residually through insurance.
Measurable uncertainties are funded out of operating profits.
2. Unmeasurable uncertainties: These are inherently un-insurable using traditional methods because of the paucity of reliable data. For example, whereas we can observe multiple supply chain and service interruptions, data breaches, etc. they are not sufficiently similar or comparable to be soundly put to a probability distribution and statistically analyzed.
Un-measurable uncertainties are treated on a broad basis through organizational resilience. For the top 5-15 corporate risks10 that are typically inestimable in terms of likelihood of occurrence, the organization seeks to maintain an ability to absorb and respond to shocks and surprises and to deliver credible solutions before reputation is damaged and stakeholders lose confidence.
Un-measurable uncertainties are funded out of the balance sheet.
The hyper-connected and multispeed world in which we live today has driven the effect of un-measurable uncertainties on company objectives to unprecedented, heights, and so amplified the risk potential enormously.
5. Urgent need to recognize the mission-critical importance of building and preparing management to always be prepared to offer credible solutions in the face of unexpected shocks and surprises Figure 1 below describes the evolution of risk management as depicted within the red dotted line11 and the next stage of the evolution (resilience) as envisioned by RMI.
Figure 1: Evolution of risk and the emergence of “resilience” as the current era in the evolution of 21st century understanding of risk
Resilience was the theme that ran through the World Economic Forum: Global Risks 2013, Eight Edition Report. Resilience was described as capability to
Adapt to changing contexts,
Withstand sudden shocks, and
Recover to a desired equilibrium, either the previous one or a new one, while preserving the continuity of operations.
The three elements in this definition encompass both recoverability (the capacity for speedy recovery after a crisis) and adaptability (timely adaptation in response to a changing environment).
The Global Risks 2013 Report emphasized that global risks do not fit neatly into existing conceptual frameworks but that this is changing insofar as the Harvard Business Review (Kaplan and Mikes12) recently published a concise and practical taxonomy that may also be used to consider global risks13.
The report advises that building resilience against external risks is of paramount importance and alerts directors to the importance of scanning a wider risk horizon than that normally scoped in risk frameworks.
When considering external risks, directors need to be cognizant of the growing awareness and understanding of the importance of emerging risks.
Emerging risks can be internal as well as external, particularly given growing trends in outsourcing core functions and processes.
It is also interesting to observe the diversity in understanding of emerging risk definitions. For example:
Lloyds: An issue that is perceived to be potentially significant but that may not be fully understood or allowed for in insurance terms and conditions, pricing, reserving or capital setting,
PWC: Those large-scale events or circumstances beyond one’s direct capacity to control, that have impact in ways difficult to imagine today,
S&P: Risks that do not currently exist,
The 2014 annual Emerging Risks Survey (a poll of more than 200 risk managers predominantly based at North American re/insurance companies) reported the top five emerging risks as follows:
Financial volatility (24% of respondents)
Cyber security/interconnectedness of infrastructure (14%)
Liability regimes/regulatory framework (10%)
Blowup in asset prices (8%)
Chinese economic hard landing (6%)
Maintaining business defense systems capable of defending the business model has become an additional fiduciary requirement for the board, alongside succession planning and setting strategic direction15.
1 Influenced by COSO (Committee of Sponsoring Organizations of the Threadway Commission, Enterprise Risk Management (ERM) Understanding and Communicating Risk Appetite, by Dr. Larry Rittenberg and Frank Martens
2 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard.
3 The new globally accepted risk management standard (ISO 31000) is not intended for the purposes of certification. Rather, it contains guidance as to risk-management principles, a framework and risk management process that can be applied to any organization, part of an organization or project, etc. As such, it provides an overarching context for the application of domain-specific risk standards and regulations — for example, Solvency II, environmental risk, supply chain risks, etc.
4 Risk Communication Aligning the Board and C-Suite: Exhibit 1 Top Challenges of Board and Management Risk Communication by Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD) and Oliver Wyman
5 The Conference Board Governance Centre, Risk Oversight: Evolving Expectations of Board, by Parveen P. Gupta and Tim J Leech
6 An unknown known risk is one that is known, and understood, at one level (e.g. typically top, middle, lower level management) in an organization but not known at the leadership and governance levels (i.e. executive and board levels)
7An unknown unknown risk is a so called black-swan (The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb)
8 Specified to the ISO 31000 series
9 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard
10 More than 80% of volatility in earnings and financial results comes from the top 10 to 15 high-impact risks facing a company: Risk Communication Aligning the Board and C-Suite, by the Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD), and Oliver Wyman
11 Source: Institute of Management Accountants, Statements on Management Accounting, Enterprise Risk Management : Frameworks, Elements and Integration
12 Managing Risks: A New Framework
13 Kaplan and Mikes’ third category of risk is termed “external” risks, but the Global Risk 2013 report refers to them as “global risks.” They are complex and go beyond a company’s scope to manage and mitigate (i.e. they are exogenous in nature).
14 Audit and Risk, 21 July 2014, Matt Taylor, Protiviti UK,
15 The Financial Reporting Council has determined that it will integrate its current guidance on going concern and risk management and internal control and make some associated revisions to the UK Corporate Governance Code (expected in 2014). It is expected that emphasis will be placed on the board’s making a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy, including solvency and liquidity risks. In making that assessment, the board will be expected to consider the likelihood and impact of these risks materializing in the short and longer term;
This is the first paper of a series of five on the topic of risk appetite. Understanding of risk appetite is very much a work in progress in many organizations. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized and comprehend the links between risk and strategy. This is achieved either through painful and expensive crises, or through the less expensive development of a risk appetite framework (RAF).
Paper 1 makes a number of general observations based on experience in working with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. Paper 3 answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between them and strategy. Paper 4 answers further questions on risk appetite and goes into some detail on the questions of risk culture and maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operationalize the links between risk and strategy.
Paper 1: Introduction
Since the global financial crisis (GFC), regulators, investors and boards have become determined to avoid a repetition of such a cataclysmic event and have increased demand for more effective risk management. As financial risk reporting failed to predict the GFC, there is growing recognition of the need to build organizational resilience through effective mapping of risks and to demonstrate the capability to manage low-probability, high-impact events. Concern is also growing over the increase in cybercrime and over digital risk.
1. Directors and senior managers need a globally accepted guide on the attributes of an effective risk appetite framework.
2. Emphasis is shifting globally from risk management to building resilience. Risk optimization is achieved when risk and strategy are aligned with corporate objectives. Achieving this requires that both the board and executives master strategic, emerging and external/global risks through robust (risk) horizon scanning, proofing and testing.
3. “Strategic risks” are those that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately affect shareholder value or the viability of the organization. “Strategic risk management” is “the process of identifying, assessing and managing the risk in the organization’s business strategy—including taking swift action [when problems arise]. Strategic risk management is focused on those most consequential and significant risks to shareholder value, an area that requires the time and attention of executive management and the board of directors’’1
RMI thus defines board risk assurance as assurance that strategy, objectives and execution are aligned.
4. That alignment is achieved through operationalizing the links between risk and strategy. This involves:
Strengthening the strategic planning process through organizational integration of the risk and strategy functions/processes, with authority derived directly from the board and CEO’s office,
Establishing an effective risk appetite framework,
Understanding, and improving, the organizational level of risk maturity,
Building organizational resilience,
Proofing and testing management’s ability to offer credible solutions when both exploiting and defending operations, the business model and reputation.
5. The risk appetite framework (RAF)2 is to the board what risk management3 is to the rest of the organization. As such, there is a direct correlation between the efficacy of the RAF and the efficacy of the risk management framework4. The audit committee of the board and the risk subcommittee must have charters that provide a risk governance framework that mandates:
Direct CEO oversight of an integrated risk and strategy capability,
Board risk subcommittee oversight of:
The risk appetite framework,
Advancing and maintaining risk maturity, which can deliver value through:
Access to capital at lower cost than that achieved by less mature competitors,
More favorable credit ratings than those achieved by less mature competitors,
Optimization of risk transfer through both traditional and modern self-insurance methods.
Risk data governance maintained to standards of rigor and consistency like those that apply for accounting data,
Perpetual proofing and testing of management’s readiness to offer credible solutions when both opportunity strikes and abnormal and adverse events occur.
We agree with Peter Bernstein, author of Against the Gods: The Remarkable Story of Risk, when he says, “In the absence of certainty. . . [we must] focus on excellent execution and demonstrable resilience at the same time whilst taking as much acceptable risk as is reasonably possible.” We likewise agree with Robert S. Kaplan, author of Risk Management and the Strategy Execution System, who says: “Risk management. . . is about identifying, avoiding and overcoming the hurdles that the strategy may encounter along the way. Avoiding risk does not advance the strategy; but risk management can reduce obstacles and barriers that would otherwise prevent the organization from progressing to its strategic destination.”
1Source: Harvard Law School Forum on Corporate Governance and Financial Regulation: Strategic Risk Management: A Primer for Directors Aug 2012
2The RAF is the ‘’overall approach including the policies, controls and systems, through which risk appetite is established, communicated and monitored.’’
3Risk management: coordinated activities to direct and control an organization with regard to risk Source: ISO Guide 73 Risk Management – Vocabulary
4Risk management framework: set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization
NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk.
NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities.
NOTE 3 The risk management framework is embedded within the organization’s overall strategic and operational policies and practices.
Many have struggled to find and articulate a risk appetite. It is actually not too hard to find, if you know where to look. It is right there – on the border.
Risk appetite is the border between the board and management. Once management has proposed a risk appetite and the board has approved it, then management is empowered to take risks. As long as the risks are within the risk appetite, then management does not need to inform the board until after taking those risks. If management plans to take risks that are outside of the risk appetite, then executives must go to the board in advance for permission.
That, of course, is just the bare minimum communication with the board about risk. There are five topics that make up a good level of board communications:
1. Risk appetite and plan
2. Risk position and profile
3. Top=risk mitigation and capabilities
4. Emerging risks
5. Major changes to risk environment and risk plan
The first and last items are the subject here. The other topics will be covered in later posts.
Notice that the first item on the list above is appetite AND Plan. Before discussing risk appetite, both management and the board need to be very familiar with the company’s historic levels of risk and the intentions for risk level. If there is no history of risk planning, it is totally premature to even discuss risk appetite.
It is doubtless true in all cases that management has vast experience with risk taking, as well as experience with risk taking that ended up creating losses or other undesirable adverse consequences. But unless there has been experience of planned and monitored risk taking, there is a natural propensity to start with the presumption that, in the past, the highest-risk activities are those that ended in losses and that activities that did not end up with losses were lower-risk. While losses are a good indication of one sort of risk, they are not the only way to assess risk.
Imagine the risk of an earthquake in a specific area. There have been no earthquake losses there in living memory. But that doesn’t mean that there is no risk. There was a devastating earthquake there just 150 years ago, thus there is certainly some potential for future events.
Risk is not loss, and loss is not risk. Risk is the potential for loss. It only exists in advance of an event. Loss is the negative outcome of an event.
Risk appetite sits on another border. That is the border between regular and extraordinary – mitigation, that is. For each of the major risks of a firm, we have a regular process for control, mitigation and treatment of risk that we have and and that we acquire. We also should have some idea of what we might do if the level of risk gets out of hand. For example, a life insurer writing variable annuities might have a hedging program that is used to mitigate unwanted equity market risk. A P&C insurer might have a reinsurance program to lay off excess aggregations of property risk. A bank might have a securitization program to mitigate the portion of mortgage risk that it does not want to keep. In all three cases, an unexpected jump in closing rate or a new very successful distributor might suddenly cause the level of residual risk after normal mitigation to become excessive.
Usually, this is evidenced by a weakening solvency margin. The company must go into extraordinary mitigation mode. That means that for the risk that has become excessive, or for another risk if they have a nimble risk steering function, there will need to be some major change in operations to bring the level of risk back into line. The choices for these extraordinary mitigations may be simple adjustments to the normal mitigation processes, a shift in hedging targets, a drop in the reinsurance retention or an increased emphasis on securitizing all tranches. But most often these extraordinary mitigations involve real changes to plans, such as a change in pricing structure, risk acceptance procedures, a change in product or distribution strategy to discourage the least profitable or highest risk sales or a change in a share buy-back plan. In the most extreme cases, there might be a need to temporarily shut down the source of the excessive risk.
Unexpected losses might also cause a sudden shift downward in risk capacity and therefore in risk appetite. In such cases, extraordinary mitigations will favor options that might speed the rebuilding of capital. In the most extreme cases, the final stage mitigation would be to sell an entire operation along with the embedded risk exposures.
Almost all of those extraordinary mitigation choices are not decisions that management prefers for businesses. But good managers have some advance idea of the priority order in which they might apply those tactics as well as the triggers for such actions. Those triggers are the boundary for risk taking. They are reflective of the risk appetite.
So if you recognize that risk appetite is this boundary condition, you realize that the talk you hear in some places of “allocating risk appetite” is not the approach that you want to take. What you really need is a risk target that is allocated. The risk target is your plan. It is not totally “efficient,” but there should be a buffer between the risk target and the risk appetite. That buffer allows for the fact that we do not control and may not even immediately notice all of the things that might cause our risk level to fluctuate, but we need a risk target because risk appetite is really the border that we hope not to cross.