Risks Appetite – Principles and Approach
The key question for all companies is how much risk do they need to take? And yet taking risks without consciously managing those risks can lead to the downfall of organizations. This is the challenge that has been highlighted by the UK Corporate Governance Code issued by the Financial Reporting Council in 2010.
The following key principles have underpinned risk appetite:
1. Risk appetite can be complex. Excessive simplicity, while superficially attractive, leads to dangerous waters: far better to acknowledge the complexity and deal with it, rather than ignoring it.
2. Risk appetite needs to be measurable. Otherwise there is a risk that a statement may become empty and vacuous.
3. Risk appetite is not a single, fixed concept. There will be a range of appetites or ranges for different risks which need to be aligned and these appetites may vary over time. Like in sourcing decisions, the Board may set vendor business share limits as they would be make the entity dependent on few vendor companies that could eventually impact business continuity or range of quality defects.
4. Risk appetite should be developed in the context of an organization’s risk management capability, which is a function of risk capacity and risk management maturity. Risk management remains an emerging discipline and some organizations, irrespective of size or complexity, do it much better than others. This is in part due to their risk management culture (a subset of the overall culture), partly due to their systems and processes, and partly due to the nature of their business. However, until an organization has a clear view of both its risk capacity and its risk management maturity, it cannot be clear as to what approach would work or how it should be implemented.
5. Risk appetite must be integrated with the control culture of the organization. The Risk Management framework explores this by looking at both the propensity to take risk and the propensity to exercise control. The framework promotes the idea that the strategic level is proportionately more about risk taking than exercising control, while at the operational level the proportions are broadly reversed. Clearly the relative proportions will depend on the organization itself, the nature of the risks it faces and the regulatory environment within which it operates.
No comments:
Post a Comment