No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Governance

Board Oversight of Management’s Risk Appetite and Tolerance: What Does it Really Mean?

by Tim Leech
February 17, 2016
in Governance
prevent governance failures with better board risk oversight

with co-author Parveen P. Gupta

In 2013 the Financial Stability Board (FSB), the single most globally influential financial and securities regulator, issued the guidance that calls on national regulators to codify a new regulatory expectation from Boards of Directors:

“The Board of Directors must establish the institution-wide RAF (Risk Appetite Framework) and approve the risk appetite statement, which is developed in collaboration with the Chief Executive Officer (CEO), Chief Risk Officer (CRO) and Chief Financial Officer (CFO).”[i]

Likewise, in the UK, the 2014 update of the “comply or explain” UK Corporate Governance Code, which governs all UK-listed public companies, states the following principle in section C.2, “Risk Management and Internal Control:”

“The Board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives. The Board should maintain sound risk management and internal control systems.”[ii]

The code further elaborates on this principle through three specific code provisions that respectively ask company directors to (1) “confirm in the annual report that they have carried out a robust assessment of the principal risks facing the company” and (2) “monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness, and report on that review in the annual report.”

For the many impacted by these rising expectations, and a myriad of others like it in countries around the world, this global trend can be summarized as follows:

Boards of Directors are now increasingly expected to oversee management’s risk appetite and tolerance and take steps to ensure that it is aligned with the Board’s risk appetite and tolerance.

For various reasons, many public company directors are not intimately familiar with the newest Board risk oversight expectations. If prompted, many might as well respond with “this all sounds reasonable, but what does it really mean in practice for me?

In this paper, we attempt to help directors by answering that question.

What are “Risk Appetite” and “Risk Tolerance”?

The International Organization for Standardization (ISO), the global standards setting body, among others, in Guide 73 defines these two terms as follows[iii]:

Risk Appetite (3.7.1.2): Amount and type of risk that an organization is willing to pursue or retain.

Risk Tolerance (3.7.1.3): Organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives.

While these definitions are the product of intense global debate and discussion, the definitions require us also to clearly understand what is meant by the terms risk and risk treatment that are part of the two definitions.

Thus, Guide 73, defines the two terms as follows:

Risk (1.1): Effect of uncertainty on objectives.

Risk treatment (3.8.1): Process to modify risk.

The term “risk treatment” is further elaborated by noting that the process can involve one or more of the seven following actions:

  • Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
  • Taking or increasing risk in order to pursue an opportunity
  • Removing the risk source
  • Changing the likelihood
  • Changing the consequences
  • Sharing the risk with another party or parties [including contracts and risk financing)
  • Retaining the risk by informed decision

In our daily lives, many times unbeknownst to us, we are confronted with one or more risks. Assuming rationality, our personal “risk management process” revolves around what we explicitly or implicitly think our objectives are and how we approach the task of identifying, evaluating and responding to the events that we perceive will create uncertainty and stop us from achieving those objectives. This can manifest itself in many ways.

A real-life example for people who have been to the beautiful island of Maui in Hawaii would be to decide whether to take the famous scenic drive on what is locally known as “the road to Hanna” on Routes 36 and 360. The Hanna Highway is about 64 miles long. A Google search will reveal pictures, stories, cautions and accolades about this famous road. Visitors that rent cars may even be told by their car rental agency that their insurance cover on the car rental does not extend to those that elect to take “the road to Hanna” trip. Those that seek advice from locals may be told that it is critical that if you chose to undertake the trip, you do it clockwise, not counterclockwise. The image below provides the clue that explains the cautions and the advice.

image001

The adventurers who take the advice will do the trip in a clockwise direction. This allows their car to hug the right side of the road which means if the passengers have the misfortune of meeting another car or, in an even worse case scenario a truck, the other vehicle will have to pass on the outside edge close to the precipice. The recommended direction of travel would be counterclockwise if the road was in Australia or in the UK, where drivers drive on the left side of the road.

Within the context of this example, “risk appetite” would involve determining whether the passenger(s) renting the car would even want to undertake the trip in the first place once they clearly understand the corresponding risks that they will be assuming in pursuing the objectives of seeing some breathtaking scenery and safe passage with no damage/harm to vehicle or its occupants. Some visitors to Maui may even have unwittingly found themselves on this route. They may not have had an “appetite” or “tolerance” for it had they known and understood the risks. Road signs and maps in the area provide a range of warnings. Some of the warning signs are more graphic than others. An early warning of what is ahead on the road to Hanna is shown in the picture below.

image002

Risk appetite and tolerance can be seen in action in this analogy by the speed that people travel the route, the distance of their car from the edge of the road, the type of vehicle they are in, their responses if they have the misfortune of meeting a vehicle in the other direction on a section of the road with a single lane and other events. Risk tolerance, as defined by ISO, also links to whether the drivers are alone or with others, have dependents, their financial resources and ability to absorb the effect of an accident, perhaps without insurance and other similar variables.

Overseeing Risk Appetite and Tolerance in Public Companies

The 2008 global crisis provided numerous examples of how Boards failed to set and oversee their company’s risk appetite and tolerance. In this regard, the public companies that were at center stage during the financial crisis had to decide if they had an “appetite” to invest in subordinated debt/mortgage-backed assets with material exposure to the U.S. housing market. These companies also had to decide how much effort and resources they were willing to expend to identify and understand the risks to those investments meeting or exceeding their target returns. They also had to decide what, if any, risk treatments (such as buying insurance from companies like AIG) they were willing to put in place to mitigate some or all of the risks. If they did decide to insure some of the risks to achieve target returns, they had to decide how much resources and effort to invest in evaluating the safety and soundness of the AIG to be able to honor their contractual commitments if the risk(s) AIG agreed to absorb actually materialized.

On the legal front, all Boards must make conscious (or sometimes unconscious) decisions on their organization’s risk appetite with regard to many issues, such as complying with laws, regulations and contracts, issuing materially misstated financial disclosures, etc. Boards with very low legal risk appetites and tolerance must take all the necessary steps to satisfy themselves that employees at all levels in their organizations, including those in the C-Suite, not only share their risk appetite and tolerance thresholds, but also comply with them. The VW emissions scandal of 2015 is a graphic illustration of widespread wrongdoing in a public company that may eventually turn out to involve thousands of employees over many years. Companies that have been convicted of breaching anti-money laundering laws and bribing foreign officials and received fines in the hundreds of millions add to the list of examples where risk appetite and tolerance oversight by the Boards failed or, if it didn’t fail, illustrate examples of the Board’s risk appetite/tolerance.

Another example of risk appetite and tolerance in action can be found in the area of customer service. The Boards of Directors in many companies routinely make decisions on how many angry and dissatisfied customers they are willing to accept and tolerate. Most readers will have already interacted with companies who have made a conscious decision that 10 or more minutes of wait time responding to customer calls is within their company’s risk appetite and tolerance.

Similarly, in the environmental and sustainability area, many companies and their Boards must decide what their appetite and tolerance is to polluting the environment through their operations.

As regulators globally start to comprehend that holding a Board accountable to oversee management’s risk appetite and tolerance is both a key to better corporate governance and a daunting and a complex task, guidance like the types issued by the FSB in 2013 on “Principles for Effective Risk Appetite Frameworks”[iv] and in 2014 on Board oversight of risk culture will increasingly become a gold standard. Provided below are samples of the roles envisioned by the FSB for the Boards and the CEOs to ensure their companies have in place an effective “Risk Appetite Framework.”

The board of directors should:

a) approve the financial institution’s RAF, developed in collaboration with the CEO, CRO and CFO, and ensure it remains consistent with the institution’s short- and long-term strategy, business and capital plans, risk capacity and compensation programs

b) hold the CEO and other senior management accountable for the integrity of the RAF, including the timely identification, management and escalation of breaches in risk limits and of material risk exposures

c) ensure that annual business plans are in line with the approved risk appetite and incentives/disincentives are included in the compensation programs to facilitate adherence to risk appetite

d) include an assessment of risk appetite in their strategic discussions, including decisions regarding mergers, acquisitions and growth in business lines or products

e) regularly review and monitor the actual risk profile and risk limits against the agreed levels (e.g. by business line, legal entity, product, risk category), including qualitative measures of conduct risk

f) discuss and monitor to ensure appropriate action is taken regarding “breaches” in risk limits

g) question senior management regarding activities outside the Board-approved risk appetite statement, if any

h) obtain an independent assessment (through internal assessors, third parties or both) of the design and effectiveness of the RAF and its alignment with supervisory expectations

i) satisfy itself that there are mechanisms in place to ensure senior management can act in a timely manner to effectively manage and, where necessary, mitigate material adverse risk exposures — in particular those that are close to or exceed the approved risk appetite statement or risk limits

j) discuss with supervisors decisions regarding the establishment and ongoing monitoring of risk appetite, as well as material changes in the current risk appetite levels or regulatory expectations regarding risk appetite

k) ensure adequate resources and expertise are dedicated to risk management and internal audit in order to provide independent assurances to the Board and senior management that they are operating within the approved RAF, including the use of third parties to supplement existing resources where appropriate

l) ensure risk management is supported by adequate and robust IT and MIS to enable identification, measurement, assessment and reporting of risk in a timely and accurate manner

The CEO should:

a) establish an appropriate risk appetite for the financial institution (in collaboration with the CRO and CFO) that is consistent with the institution’s short- and long- term strategy, business and capital plans, risk capacity and compensation programs and that aligns with supervisory expectations

b) be accountable, together with the CRO, CFO and business lines for the integrity of the RAF, including the timely identification and escalation of breaches in risk limits and of material risk exposures

c) ensure, in conjunction with the CRO and CFO, that the risk appetite is appropriately translated into risk limits for business lines and legal entities and that business lines and legal entities incorporate risk appetite into their strategic and financial planning, decision-making processes and compensation decisions

d) ensure that the institution-wide risk appetite statement is implemented by senior management through consistent risk appetite statements or specific risk limits for business lines and legal entities

e) provide leadership in communicating risk appetite to internal and external stakeholders so as to help embed appropriate risk-taking into the financial institution’s risk culture

f) set the proper tone and example by empowering and supporting the CRO and CFO in their responsibilities and effectively incorporating risk appetite into their decision-making processes

g) ensure business lines and legal entities have appropriate processes in place to effectively identify, measure, monitor and report on the risk profile relative to established risk limits on a continual basis

h) dedicate sufficient resources and expertise to risk management, internal audit and IT infrastructure to help provide effective oversight of adherence to the RAF

i) act in a timely manner to ensure effective management and, where necessary, mitigation of material risk exposures — in particular those that are close to or exceed the approved risk appetite statement and/or risk limits

j) establish a policy for notifying the Board and the supervisor of serious breaches of risk limits and unexpected material risk exposures

Demystifying what needs to be done

 The harsh reality is that few companies and their Boards are well equipped today to meet the FSB aspirational expectation that Boards effectively oversee management’s risk appetite and tolerance. A full discussion of the obstacles and major changes required to make this aspiration a reality is beyond the scope of this article. You are encouraged to read the longer and more detailed articles written by the authors in earlier issues of Ethical Boardroom[v] [vi]and in Conference Board Director Notes[vii] [viii] [ix].

Are Boards Up To the Task?

There is growing consensus that a key element necessary to prevent the next wave of corporate governance breakdowns is better Board-level oversight of management’s risk appetite and tolerance. Achieving this will require concerted, sustained and major effort and, most importantly, tolerance for massive change from Boards, regulators, CEOs, Chief Risk Officers, internal audit and risk professions and their professional associations and more. The changes necessary are quantum in size and radical in nature. Whether Boards and the companies they oversee are up to the task remains to be seen. Only time will tell.

[i]Financial Stability Board, Principles for an Effective Risk Appetite Framework, November 2013, page 7. Available at http://www.financialstabilityboard.org/wp-content/uploads/r_131118.pdf. Last accessed on December 1, 2015.

[ii]Financial Reporting Council (FRC), UK Corporate Governance Code September 2014, page 17. Available at https://www.frc.org.uk/Our-Work/Publications/Corporate-Governance/UK-Corporate-Governance-Code-2014.pdf. Last accessed on December 1, 2015.

[iii]ISO, Guide 73 Risk Management – Vocabulary 2009, page 9. Available at http://saludpublicavirtual.udea.edu.co/moodle/pluginfile.php/3095/mod_page/content/5/iso_iec_guide_73-2009-1.pdf. Last accessed on December 1, 2015.

[iv] Financial Stability Board, Principles for an Effective Risk Appetite Framework, November 2013, pages 8-10

[v] Gupta, Leech, Overseeing Risk Appetite & Tolerance: Barriers that Need to Be Overcome, Ethical Boardroom, winter 2014.

[vi] Gupta, Leech, Board Governance/Board Risk Oversight What Knowledge & Skills Do Directors Need?, Ethical Boardroom, Summer 2015

[vii] Leech, Board Oversight of Management’s Risk Appetite & Tolerance, Conference Board Director Notes, December 2013.

[viii] Gupta, Leech, Risk Oversight: Evolving Expectations for Boards, Conference Board Director Notes, January 2014.

[ix] Gupta, Leech, The Next Frontier for Boards: Oversight of Risk Culture, Conference Board Director Notes, June 2015

Copyright © 2016 by Ethical Boardroom strictly reserved. No parts of this material may be reproduced in any form without the written permission of Ethical Boardroom.

 





New Call-to-action





Tags: Data Governance
Previous Post

Money Laundering Schemes in Real Estate

Next Post

PwC Report on Mitigating Cyber and Operational Risks for Utilities

Tim Leech

Tim Leech

Tim LeechTim J. Leech, FCPA, CIA, CFE, CRMA, is Managing Director at Risk Oversight Solutions Inc. Risk Oversight Solutions focuses on helping companies more effectively manage risk and assurance to meet escalating Board risk oversight expectations and add real value.  He has more than 25 years of experience in the Board risk oversight, ERM, internal audit and forensic accounting fields, including expert witness testimony in civil and criminal proceedings and global experience helping public and private sector organizations with ERM and internal audit transformation initiatives and the design, implementation and maintenance of integrated GRC/ERM frameworks.  Leech has provided training for tens of thousands of public and private sector Board members, senior executives, professional accountants, auditors and risk management specialists in Canada, the U.S., the EU, Australia, South America, Africa and the Middle and Far East. He has received worldwide recognition as a pioneer, thought leader and trainer.  His newest breakthrough methodology, “Board & C-Suite Driven/Objective Centric ERM and Internal Audit,” has been licensed by the IIA for global deployment starting in the fall of 2014 and his article “Reinventing Internal Audit,” featured in the April 2015 issue of Internal Audit, has received global recognition.

Related Posts

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

doj outside sculpture_n

Monaco Memo 2.0: Companies Should Start Preparing Now for Future DOJ Investigations

by Miller & Chevalier
November 2, 2022

Following up on her watershed 2021 memo, Deputy Attorney General Lisa Monaco’s latest missive highlights a pair of issues that...

doj data enforcement

The DOJ Doubles Down on Data, Raising the Stakes for Proactive Information Governance

by FTI Consulting
October 19, 2022

As the DOJ signals that proactive compliance measures focused on data and analytics will be central to the agency’s future...

Next Post
driving compliance for utilities

PwC Report on Mitigating Cyber and Operational Risks for Utilities

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT