No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Overseeing Risk Appetite & Tolerance: Roadblocks That Need To Be Overcome

by Tim Leech
June 8, 2015
in Risk
Overseeing Risk Appetite & Tolerance: Roadblocks That Need To Be Overcome

with contributing author Parveen Gupta, LLB, PhD

This piece originally appeared in Ethical Boardroom and is republished here with permission.

In the aftermath of the 2008 global financial crisis, postmortems were convened in countries around the world to identify what went wrong. A unanimous conclusion was that Boards of Directors of public companies in general, and financial institutions in particular, need to do more to oversee “management’s risk appetite and tolerance” if future crises are to be avoided.

This finding represents a significant paradigm shift in role expectations while introducing a new concept the Financial Stability Board (FSB) has coined effective “Risk Appetite Frameworks” (RAFs). Regulators around the world are now moving at varying speeds to implement these conclusions by enacting new laws and regulations. What regulators appear to be seriously underestimating is the amount of change necessary to make this laudable goal a reality.

Codification Of Board Risk Oversight

Immediately following the onset of the 2008 global crisis, a group called the Senior Supervisors Group (SSG) and later, the Financial Stability Board (FSB) – the world’s first global super regulator – went to work at record speed to publish, seek comments to exposure drafts and issue guidance to national bank and securities regulators around the world. Excerpts from FSB’s radical and far-reaching November 2013 guidance on risk appetite frameworks (RAF) follows:

The Board of Directors should:

a) Approve the financial institution’s RAF, developed in collaboration with the CEO, CRO and CFO, and ensure it remains consistent with the institution’s short- and long-term strategy, business and capital plans and risk capacity as well as compensation programs.
b) Hold the CEO and other senior management accountable for the integrity of the RAF, including the timely identification, management and
escalation of breaches in risk limits and of material risk exposures.

The Chief Executive Officer should:

a) Establish an appropriate risk appetite for the financial institution (in collaboration with the CRO and CFO) which is consistent with the institution’s short- and long-term strategy, business and capital plans and risk capacity, as well as compensation programs, and that aligns with supervisory expectations.
b) Be accountable, together with the CRO, CFO and business lines, for the integrity of the RAF, including the timely identification and escalation of breaches in risk limits and of material risk exposures.

Internal Audit (or other independent assessor) should:

a) Routinely include assessments of the RAF on an institution-wide basis as well as on an individual business line and legal entity basis.
b) Identify whether breaches in risk limits are being appropriately identified, escalated and reported, and report on the implementation of the RAF to the Board and senior management as appropriate.

In 2010, in response to some of the initial SSG/FSB postmortem analysis, the SEC in the U.S. introduced new proxy disclosure rules that require a general broad acknowledgment in the annual proxy that the Board is responsible for risk oversight. Since then, the Commission hasn’t taken any steps to provide more granular guidance to clarify what they expect. Perhaps in anticipation of new U.S. disclosure requirements, COSO (Committee of Sponsoring Organizations of the Treadway Commission) announced in October 2014 that it is embarking on a two-year plan to update the now dated 2004 COSO Enterprise Risk Management–Integrated Framework (ERM). A primary stated reason for the update is to assist
companies and Boards report on the effectiveness of their risk appetite frameworks.

In September 2014 in the UK, the Financial Report Council (FRC), the UK equivalent of the U.S. Securities and Exchange Commission (SEC), became the first national security regulator to codify and elevate the expectation that Boards of Directors of all UK-listed public companies must oversee management’s risk appetite and tolerance.

Securities regulators in other countries are working to codify new expectations requiring Boards visibly, and more effectively, oversee management’s risk appetite and tolerance.

Change Won’t Come Easy

The core idea that Boards of Directors should oversee management’s risk appetite and tolerance appears to be a logical extension of their role and, at least on the surface, would appear easy enough to implement if Boards and management are both willing. However, the reality is that there must be a major paradigm shift on the part of regulators, Boards, senior management, risk specialists, internal and external auditors and other risk “silos,” including safety, environment, compliance, IT security and others, to make this regulatory aspiration a reality. Some of the major roadblocks are discussed below.

Roadblock 1

Regulators Themselves

Following a “perfect storm” of corporate malfeasance, the U.S. enacted the Sarbanes-Oxley Act of 2002. Section 404 requires that CEOs, CFOs and external auditors form binary opinions whether they believe internal control over financial reporting is, or is not “effective” using criteria drawn from a “suitable” control framework. The dated 1992 COSO internal control framework was deemed “suitable” by the SEC. The 1992 COSO control framework was recently replaced with the marginally better COSO 2013 control framework. Canada and other countries directionally followed the U.S. lead.

The problem is, this approach does nothing to train senior management or auditors to assess and report on the state of “residual risk,” the risk that remains after considering controls and other important risk treatments; or for Boards to assess whether they are comfortable with management’s risk appetite and tolerance. This results in the Board receiving little in the way of reliable information on the line items in the company’s balance sheets and income statements with the highest composite uncertainty – or stated another way, the highest likelihood of being materially wrong.

Roadblock 2

Internal Audit “Direct Report” Audit Methods

A large percentage of public companies maintain internal audit functions that complete spot-in-time audits and report “material weaknesses,”
“control deficiencies,” areas needing improvement and the like. What these audit opinions represent using a risk lens is an opinion whether the
auditors like or dislike the controls in place, and by extension, whether they like or dislike the current state of retained/residual risk.

How they have formed their like and dislike opinions on the state of residual risk is often unclear. More importantly, all agree, including the global Institute of Internal Auditors (IIA), that in spite of the apparent contradiction with current practices, it is the job of management and the Board, not internal audit, to decide how much retained risk is acceptable in pursuit of an organization’s business objectives.

Compounding the problem, internal auditors in a large percentage of companies today do not use risk assessment methods designed to identify
and assess the current state of residual/retained risk. Most don’t know how to appropriately use recognized risk frameworks or risk vocabulary in their daily work. Very few internal auditors have received much, if any, training on how to identify and consider the full range of risk treatments. It simply isn’t part of the current core curriculum or training offerings. The focus has been on identifying “internal controls,” often without linking these controls to specific risks. It has not, with few exceptions, been on providing a consolidated entity level report on the current residual risk status related to key objectives for senior management and Boards.

In the absence of reliable information on the state of residual risk from business units and assurance specialists, senior management and, most importantly, Boards of Directors are handicapped in their efforts to oversee management’s risk appetite and tolerance. Regulators globally continue to support this “direct report/control-centric” audit approach, while at the same time calling on Boards of Directors to oversee management’s risk appetite and tolerance – a regulatory imposed recipe for confusion and future governance failures.

Roadblock 3

Traditional “Risk-Centric” ERM Methods

The idea that management and Boards should be actively and transparently involved in “risk management” is not a new one. Australia was the first country to pioneer a risk management standard in the mid-1990s (AS/NZ 4360). Gradually, over the next decade, other countries followed suit. In the U.S., COSO released its own ERM framework in 2004 and ISO, the world’s international standards setter, released the world’s first global risk management standard in 2009.

For a variety of reasons, including support from the consulting sector and resistance from management, the world has generally interpreted ERM to mean an annual exercise (with limited time and efforts) to build and maintain “risk registers,” now increasingly being referenced less charitably as “risk lists.” These risk registers are accompanied by color-coded “heat maps” showing which risks had been rated as RED, based on the likelihood and impact of each risk and controls in place. Boards receive lists of the top 10/20/50/100 risks. Often these are standalone lists with no linkage to related business objective or a clear map showing how the top risks impact which business objectives. The fact that most important business objectives have 10 or more significant risks that create uncertainty over whether the objective will be achieved has been, and is still today, largely ignored.

Roadblock 4

Practical Advice on How to Actually Do It

In 2009, not long after commissions globally started to report their conclusion that weak/deficient Board oversight of management’s risk appetite and tolerance was a central root cause of the global crisis, the National Association of Directors (NACD) in the U.S. released its seminal Blue Ribbon Commission report, Risk Governance: Balancing Risk and Reward. This report calls on Boards to increase their focus and attention in this area and proposes six key Board risk oversight duties. What is missing in that report, and what is still largely unaddressed by the NACD and other director associations and regulators globally, are the practical steps and major changes companies must make, including the training and new tools necessary to help Boards fulfill their new fiduciary duty to oversee management’s risk appetite and tolerance.

Roadblock 5

Human Aversion to Radical Change

Last, but certainly not least, major changes are needed in regulatory attitudes and the corporate functions and processes that create and provide
information on the state of retained risk. It is likely that not all CEOs want their Boards of Directors to know all the areas of high retained risk. For a variety of reasons, there may also be more than a few Boards that don’t want to know “the whole truth and nothing but the truth.”

Unfortunately, more than a few C suites have kept Boards in the dark in the past as management pursued strategies more aligned with maximizing their personal goals than with the long-term success of their organizations. Major changes are needed in internal audit charters, training, certification and methods. ERM specialists need to focus on developing new methods and tools that provide ethical senior management teams and boards with a consolidated report on the state of retained risk across the enterprise, including risks that threaten the achievement of the organization’s top strategic objectives, as well as foundational objectives relating to legal compliance, reliable financial statements, data security, business continuity and the like.

In summary, an old adage applies: Regulators should practice what they preach. If regulators truly want Boards of Directors to be more effective overseers of management’s risk appetite and tolerance, they should complete formal risk assessments on their stated objective of legislating better and more effective Board risk oversight. Once they have properly identified the full range of significant risks to this objective, with the support of groups like the NACD, Financial Executives International (FEI) and IIA and the myriad of risk associations, they need to develop risk treatment strategies to reduce the very real likelihood that senior management and Boards will not embrace this new regulatory imperative. Regaining the trust of investors and the public around the world is a goal that’s worth the effort.


Tags: Data Governance
Previous Post

Are Disclosures a Pathway to Off-Label Promotion?

Next Post

Successful SRM Doesn’t Happen By Accident

Tim Leech

Tim Leech

Tim LeechTim J. Leech, FCPA, CIA, CFE, CRMA, is Managing Director at Risk Oversight Solutions Inc. Risk Oversight Solutions focuses on helping companies more effectively manage risk and assurance to meet escalating Board risk oversight expectations and add real value.  He has more than 25 years of experience in the Board risk oversight, ERM, internal audit and forensic accounting fields, including expert witness testimony in civil and criminal proceedings and global experience helping public and private sector organizations with ERM and internal audit transformation initiatives and the design, implementation and maintenance of integrated GRC/ERM frameworks.  Leech has provided training for tens of thousands of public and private sector Board members, senior executives, professional accountants, auditors and risk management specialists in Canada, the U.S., the EU, Australia, South America, Africa and the Middle and Far East. He has received worldwide recognition as a pioneer, thought leader and trainer.  His newest breakthrough methodology, “Board & C-Suite Driven/Objective Centric ERM and Internal Audit,” has been licensed by the IIA for global deployment starting in the fall of 2014 and his article “Reinventing Internal Audit,” featured in the April 2015 issue of Internal Audit, has received global recognition.

Related Posts

banks information sharing_f

Sharing Is Caring? Lessons From Dutch Banks’ Data-Sharing Program

by Sukirt Singh
March 22, 2023

With federal investigations pending, the autopsy of Silicon Valley Bank and resulting cascade of bank failures is only just beginning....

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

Next Post
Successful SRM Doesn’t Happen By Accident

Successful SRM Doesn’t Happen By Accident

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT