appetite - Blog - Global Risk Community2024-03-29T13:52:09Zhttps://globalriskcommunity.com/profiles/blogs/feed/tag/appetiteMeeting regulatory demands amidst continued innovation, disruption and evolutionhttps://globalriskcommunity.com/profiles/blogs/meeting-regulatory-demands-amidst-continued-innovation-disruption2020-01-06T07:00:00.000Z2020-01-06T07:00:00.000ZJames Marinoshttps://globalriskcommunity.com/members/JamesMarinos<div><p><span>By Sophie Bottazzi, Senior Research Executive, CeFPro</span></p><p>The payment industry in Europe continues to evolve with the huge influx of new payments providers in the market, increased regulatory demand and evolving customer expectations of products and services. With the implementation of PSD2/Open Banking becoming more embedded, the payments landscape continues to evolve as APIs open up customer data for more institutions to leverage. With such increased demand and competition comes heightened regulatory scrutiny to ensure compliance and safety and soundness across the industry. The delays to secure customer authentication requirements introduce additional fragmentation across jurisdictions as many look to implement the standards to varying interpretations and deadlines.</p><p>With this in mind, the Center for Financial Professionals conducted an extensive research project with financial institutions, FinTechs, regulators and payment service providers to gain an insight into the key trends and challenges across the industry. The results of the research project are demonstrated at the upcoming 3rd Annual Payments Summit, taking place in London on 11-12 February, 2020. Thought leaders across the industry share insight on a range of current challenges and opportunities to enhance communication and collaboration and drive innovation agendas. Below are some of the key areas highlighted during the research, for full information on the final agenda please visit: <a href="https://www.cefpro.com/payments">https://www.cefpro.com/payments</a></p><p>From CeFPro’s research it is clear there are still lessons to be learned and discussion to be had surrounding the implementation of PSD2 and Open banking as institutions across Europe await the full extent of the impacts across the industry. Secure customer authentication requirements remain uncertain as delays across the industry raise additional questions around expectations and timelines. Institutions continue to grapple with balancing customer satisfaction and meeting regulatory demands and the need to authenticate customers and devices. Questions remain uncertain surrounding the degree of authentication required, the frequency of which it is required and how security measures can be implemented without impacting the customer journey. The immediate impact of PSD2 originally feared by many institutions did not come to fruition, many are not leveraging the potential of open APIs and the long terms impacts remain uncertain.</p><p>In a world of continued digitalisation of both institutions and consumers, the threat of cybersecurity has never been more prominent. Institutions remain vigilant to mitigate the increasing fraud and cyber security risk. The above-mentioned challenge of balancing customer experience and security remains with cyber risk and ensuring accessibility to digital services alongside protection of data and assets. As the digital landscape continues to evolve and products and services diversify, institutions open up additional vulnerabilities and opportunities for criminals to gain access, therefore safeguards must continue to be put in place to maintain security across the institution. Alongside internal safeguards, education of customers is also vital, ensuring customers are exercising caution with online activities and security. As the global landscape continues to rapidly evolve and expand, cyber security and its risk evolve further and pose an increased threat to an institution, its customers and reputation.</p><p>Finally, an exciting opportunity across the industry is the trailing of Request to Pay services and the future of direct debits. Request to Pay is being trialled by a number of larger financial institutions with the view of turning direct debits into a thing of the past and instead requesting funds from the customer. The new payment process looks to revolutionise how bills are paid and limit defaults on loans to open up dialogue between the institution and customer. The scheme is one which is completely new and as yet untested by institutions and customers. Institutions are investigating the introduction of Request to Pay and interaction with regulatory requirements and new payments architectures. The scheme could have impacts across the payments industry and merchants, with significant cost reductions to customers and communication to limit default charges or late payment fees. Request to Pay remains an area of interest for institutions to explore as the future of payments and direct debits.</p><p>The 3rd Annual Payments Summit looks to address the above challenges and much more, and provide a platform for best practice and idea sharing to enhance collaboration and communication. The findings of this research will be illustrated on February 11-12, 2020 at The Centre for Financial Professionals Payments Summit in London. We invite you to join your peers for two days to discuss upcoming payment trends, technologies and regulatory requirements including PSD2, SCA, Open Banking, Instant Payments and Request to Pay.<br /> The agenda can be viewed at <a href="http://www.cefpro.com/payments">www.cefpro.com/payments</a></p><p>For further information, please get in touch with a member of the team on +44 (0) 207 164 6582</p></div>marcus evans to Host the 2nd Annual Interest Rate Risk in the Banking Book Conference on December 5-7, 2018 in New Yorkhttps://globalriskcommunity.com/profiles/blogs/marcus-evans-to-host-the-2nd-annual-interest-rate-risk-in-the2018-08-09T16:00:00.000Z2018-08-09T16:00:00.000ZAmanda Pinkhttps://globalriskcommunity.com/members/AmandaPink<div><p><strong>marcus evans</strong> will host the <strong>2<sup>nd</sup> Annual Interest Rate Risk in the Banking Book Conference on December 5-7, 2018 in New York.</strong> This conference will give banks the practical insight to optimize their interest rate risk management strategies in an uncertain economic environment. Firms will gain insight into the regulatory priorities and concerns surrounding the proposed IRRBB regulation in order to streamline their strategies to position themselves for compliance. Delegates will also advance their ALM models in order to improve their cash flow analytics and understand their capital limits to achieve strategically priced deposits.</p><p> </p><p><strong>Learn From Key Practical Case Studies:</strong></p><ul><li><strong>BBVA Compass</strong>will recognize the challenges of the current interest rate environment</li><li><strong>Capital One</strong> will overcome the challenges of interest rate risk modeling to ensure reliable forecasts</li><li><strong>MUFG</strong> will assess the interaction of deposits with interest rates</li><li><strong>The Federal Reserve Board</strong> will develop your customer behavior analytics to identify rate sensitive clients</li><li><strong>Northern Trust</strong> will harmonize interest rate and liquidity management to minimize risk in your firm</li></ul><p> </p><p><strong>Key Speakers Include:</strong></p><ul><li>Brinda Bhattacharjee, Managing Director, <strong>Goldman Sachs</strong></li><li>Augusto Ballester, Senior Vice President, Senior Manager, Portfolio Risk Strategy, <strong>Bank of America</strong></li><li>Maxwell Zhu, Managing Director, Head of Quantitative Analysis & Strategy, US Corporate Treasury, <strong>BMO Harris Bank</strong></li><li>Yujush Saksena, Managing Director, Head of Market Risk, <strong>GE Capital</strong></li><li>Matthew Whaley, Head of Interest Rate Risk & Liquidity Risk Oversight, <strong>MUFG </strong></li></ul><p> </p><p>For more information, please visit: <a href="http://bit.ly/2OyvbRp">http://bit.ly/2OyvbRp</a> or you can contact Amanda Pink at apink@global-fmi.com.</p><p> </p><p><strong><em>marcus evans</em></strong> <em>conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers.</em></p></div>marcus evans to Host the 4th Edition Leveraged Lending in the Shifting Regulatory Environment Conference on November 29-December 1, 2017 in New York, NYhttps://globalriskcommunity.com/profiles/blogs/marcus-evans-to-host-the-4th-edition-leveraged-lending-in-the2017-08-11T16:09:21.000Z2017-08-11T16:09:21.000ZAmanda Pinkhttps://globalriskcommunity.com/members/AmandaPink<div><p><b>marcus evans</b> will host the <b>4<sup>th</sup> Edition Leveraged Lending in the Shifting Regulatory Environment Conference on November 29-December 1, 2017 in New York, NY</b>. This interactive meeting will provide you with best strategies to optimize your leveraged lending strategies in the current competitive environment. Take away insights for risk appetite setting, funding and regulatory compliance to increase profitability of leveraged loans.</p><p><b>Walk Away with Practical, Actionable Insights that will allow you to:</b></p><ul><li><b>Gain</b> clarity on the Interagency Guidance</li><li><b>Improve</b> underwriting standards to better comply with the regulations</li><li><b>Understand</b> how peers are managing loans in different sectors</li><li><b>Identify</b> key trends and challenges in specific products and sectors</li><li><b>Discuss</b> how to calculate risk appetite</li><li><b>Innovate</b> new products to remain competitive in the market</li></ul><p><b>Key Speakers Include:</b></p><ul><li><b>Christopher Wood</b>, Managing Director, Head of Syndicated & Leveraged Finance, <b>SunTrust Robinson Humphrey</b></li><li><b>Saad Aslam</b>, Executive Vice President, Independent Risk Management, <b>PNC Bank</b></li><li><b>Chris Droussiotis</b>, Managing Director, Head of Leveraged, Sponsor & Structured Finance, <b>Sumitomo Mitsui Banking Corporation</b></li><li><b>Patrick Brocker</b>, Senior Managing Director, <b>Peapack-Gladstone Bank</b></li><li><b>Heather Mosbacher Reiner</b>, Director, <b>William Blair & Company</b></li><li><b>Nitin Sharma</b>, Managing Director, <b>CIT Bank N.A.</b></li></ul><p>For more information, please visit: <a href="http://bit.ly/2uvNFfc">http://bit.ly/2uvNFfc</a> or you can contact Amanda Pink at <a href="mailto:amandap@marcusevansch.com?subject=Agenda%20Request:%2012th%20Annual%20Liquidity%20Management%20(Supply%20Chain%20Brain)">amandap@marcusevansch.com</a></p><p><b><i>marcus evans</i></b> <i>conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers. </i></p></div>ERM and Risk Appetite may Derail SoulCycle's IPOhttps://globalriskcommunity.com/profiles/blogs/erm-and-risk-appetite-may-derail-soulcycle-s-ipo2015-09-21T14:14:23.000Z2015-09-21T14:14:23.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p>Last month, SoulCycle, a well-known high-end cycling business, filed for an initial public offering. In the midst of this exciting transition from private to public, SoulCycle was<a href="http://time.com/4014624/lawsuit-soulcycle-ipo/"> hit with a lawsuit</a> for violating the Credit Card Accountability and Disclosure Act. One might assume that the company was outed by a compliance agency or regulator. But, surprisingly, this lawsuit comes from a disgruntled former customer, Rachel Cody, who felt she was being "robbed" by the cycling mogul she once trusted.</p><p><a href="http://time.com/4014624/lawsuit-soulcycle-ipo/">According to the report</a><a href="http://time.com/4014624/lawsuit-soulcycle-ipo/" target="_blank"><img src="http://www.logicmanager.com/wp-content/uploads/2013/11/SaaS-Advantages-500x322.jpg?width=300" width="300" class="align-right" alt="SaaS-Advantages-500x322.jpg?width=300" /></a>, "The lawsuit alleges that SoulCycle's practice of not allowing customers to directly pay for classes, instead requiring them to purchase 'Series Certificates,' is not a fair and transparent practice." How does this violate the Credit Card Accountability and Disclosure Act? In order to abide by the act, a company must "establish fair and transparent practices relating to the extension of credit under an open end consumer credit plan." Cody claims SoulCycle violated this act with inexplicably short expiration periods, and without advanced notice. These expiration periods were much shorter than <a href="http://www.businessinsider.com/soulcycle-is-facing-a-lawsuit-2015-8#ixzz3k35htBZM">those mandated by federal and state laws</a>.</p><p>With an industry fueled by customer satisfaction and return rate, did SoulCycle adequately assess the risks of their pricing packages? Furthermore, in light of SoulCycle's upcoming IPO, what deficits might this lawsuit have when it comes to producing windfall profit?</p><p></p><p><b>How can Actionable Risk Appetite Statements Help?</b></p><p>How could SoulCycle have taken steps to mitigate litigation risks related to customer dissatisfaction? Was any thought devoted to the risk associated with such drastic participation policies, regardless of whether they met the minimal regulatory compliance standards?</p><p>A crucial finding from this story is the absence of a <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-appetite-risk-tolerance-residual-risk/">risk appetite statement</a>, which according to ISO 31000 is, "the amount and type of risk that an organization is prepared to pursue, retain or take."</p><p>With <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-appetite-risk-tolerance-residual-risk/">actionable risk appetite statements</a>, SoulCycle can set the broad levels of risk deemed acceptable surrounding customer satisfaction. A missing risk appetite statement indicates the weakness of their ERM program. Organizations then need to narrow the scope of their risk appetite statements and achieve more granularity by defining their corresponding <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-appetite-risk-tolerance-residual-risk/">risk tolerances</a>. For SoulCycle, these risk tolerances may have been measures of customer satisfaction, participation rates, or revenue driven from related programs, all of which would help weigh the risks and rewards associated with their class enrollment policies. In doing so, an organization has the ability to articulate acceptable risks, strengthen controls, and resolve tensions in the business plan.</p><p>By utilizing an ERM solution, risk appetites and risk tolerances are continuously monitored to test and track the true effectiveness of activities. According to <a href="http://www.businessinsider.com/soulcycle-is-facing-a-lawsuit-2015-8#ixzz3k35htBZM">Business Insider</a>, Cody is not the only frustrated former customer. The lawsuit states that tens of thousands of customers were impacted, and that this risk is identifiable and ascertainable based on SoulCycle's records.</p><p>Clearly, another weakness of their ERM program is that their <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-assessment-templates/">risk assessments</a> do not reach the front line to surface risks known to managers and other employees at each location. This leaves senior leadership and the board blindsided by risk. Therefore regulators and standards bodies, such as the SEC, PCAOB, and even the State of New York (where SoulCycle is headquartered), require corporations to declare the effectiveness of their ERM programs and provide the evidence to back it up. <a href="http://www.logicmanager.com/erm-software/2012/10/25/erm-compliance-and-enforcement/">In 2010, the SEC changed risk management</a> rules. Now, not knowing about a risk is negligence, and there is no need to establish intent to commit fraud for the full penalties and liabilities to be enforced. That is one of the reasons why SoulCycle is so vulnerable to litigation. Had they utilized an Enterprise Risk Management program, not only would the risk likely have been discovered sooner and the damage prevented, but SoulCycle would have been protected from punitive damages and other penalties for negligence.</p><p>Without an ERM software solution to objectively assess complaints, the risk went unaddressed, causing major reputation and retention risks, as well as lawsuits alleging the company misled its consumers. With an ERM solution, the risk would have been escalated to senior management and the board much sooner, thus triggering an evolution of the related risk mitigation practices.</p><p> </p><p><em><span>For more information on adopting actionable risk appetite and risk tolerance statements, download LogicManager's eBook, "<a href="http://www.logicmanager.com/ebook-5-steps-towards-actionable-risk-appetite-statements">5 Steps towards an Actionable Risk Appetite</a>."</span></em></p><p> </p></div>Risk Appetite in IT operationshttps://globalriskcommunity.com/profiles/blogs/risk-appetite-in-it-operations2014-07-21T02:37:27.000Z2014-07-21T02:37:27.000ZMartin Davieshttps://globalriskcommunity.com/members/MartinDavies92<div><p><span style="font-family:arial, helvetica, sans-serif;">Assessing and measuring risk appetite away from an investment portfolio is perhaps one of the most difficult risk management initiatives practitioners have to entertain, it is also discussed often on risk forums and written about avidly by many consulting firms.</span></p><p><span style="font-family:arial, helvetica, sans-serif;">In this article we release a white paper that steps through the entire process of measuring and assessing risk appetite, dealing with the numbers specifically rather than just top level summaries and catch phrases on what risk appetite is.</span></p><p><span style="font-family:arial, helvetica, sans-serif;">The paper can be downloaded from the following [ <span style="color:#0000ff;"><a href="http://goo.gl/Nrxf1F" target="_blank"><span style="color:#0000ff;">LINK</span></a></span> ]</span></p></div>Risk Managers Are Spending Their Time on the Wrong Thingshttps://globalriskcommunity.com/profiles/blogs/risk-managers-are-spending-their-time-on-the-wrong-things2014-06-20T14:00:00.000Z2014-06-20T14:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028226683,original{{/staticFileLink}}"><img width="275" src="{{#staticFileLink}}8028226683,original{{/staticFileLink}}" class="align-right" alt="8028226683?profile=original" /></a>There is always a lot of buzz about “risk appetite statements” and “risk tolerance.” In theory, these sound like a natural launching point for ERM Programs – how can risk managers manage risks without a known goal of what they should be managing towards?</p><p>However, the problem with risk appetite is that it is not actionable, thus organizations see very little impact from having perfectly established risk appetite statements that far too many risk managers spend months developing.. As a result, senior management begins to question the value the ERM program is delivering in the early stages.</p><p>A recent <a href="http://www.propertycasualty360.com/2014/04/25/mature-risk-management-practices-could-realize-25">study in The Journal of Risk and Insurance</a>, using RIMS Risk Maturity Model (RMM) data suggests that organizations with mature and effective ERM Programs see up to 25% higher market value than firms with immature ERM programs. </p><p>The RMM is an umbrella framework with a <a href="http://www.rims.org/ERM/Pages/RiskMaturityModel.aspx">free assessment tool</a> that enables organizations to evaluate the effectiveness and adequacy of an organization’s risk management program, determining where and how their program can improve. The RMM is broken down into seven core attribute sections, each focusing on a different core element of ERM.</p><p>In addition to the 25% composite result, the authors were able to study the individual attribute maturity scores to provide a much clearer insight into which attributes in particular appear to be contributing most to ERM.</p><p><b>Here are the results:</b></p><ul><li>Performance Management – 23% contribution</li><li>ERM Process Management – 20% contribution</li><li>Adoption of ERM Based Approach – 17% contribution</li><li>Root Cause Discipline – 16% contribution</li><li>Uncovering Risks – 15% contribution</li><li><b>Risk Appetite Management - insignificant</b></li><li>Business Resilience and Sustainability – insignificant</li></ul><p>The challenge with risk appetite is how to implement and enforce it, making it relevant to business units on a day-to-day basis. In other words, linking risk appetite to business decisions and having appropriate business metrics to measure it.</p><p>These results show that in order to get the most value from ERM, the processes must be scalable, repeatable, and embedded throughout the organization with accountability. The quality of the process must be monitored and improved by having a clear feedback mechanism throughout an organization, so that issues can effectively be escalated and prioritized. A strong connection between strategic business goals and risk management, and a monitoring and reporting capability to ensure any deviation from stated goals are measured and communicated, is the key to ERM success.</p><p>Most organizations think they need to fully develop their ERM program before they are ready for software, but organizations should be approaching this the opposite way. An ERM Content Solution Software like LogicManager, has all the templates and best practices for building an organization’s ERM charter, risk appetite and tolerance, frameworks, roles and responsibilities, assessment criteria, and more, along with a dedicated business analyst to help you mold these to fit your organization and share other best practices. </p><p>As a result, you can accomplish the baseline foundation of your program in a fraction of the time with expert guidance to mentor you, so that you can quickly begin working on the attributes of ERM that bring value – significant value – to your organization’s bottom line. All of the aspects that the study showed are crucial for ERM success, such as scalability, repeatability, reporting, and feedback mechanisms, are what ERM Software was designed to do. </p><p><strong><em>Download our <a href="http://www.logicmanager.com/ebook-roi-of-erm-software">white paper on the ROI of ERM</a>, or <a href="http://www.logicmanager.com/enterprise-risk-management-software-demo/">request a demo</a> to see how LogicManager can quickly help you achieve measurable value from ERM.</em></strong></p></div>RMORSA Part 3: Risk Appetite and Tolerance Statementhttps://globalriskcommunity.com/profiles/blogs/rmorsa-part-3-risk-appetite-and-tolerance-statement2013-09-27T15:00:00.000Z2013-09-27T15:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><a href="{{#staticFileLink}}8028227088,original{{/staticFileLink}}"><img width="200" src="{{#staticFileLink}}8028227088,original{{/staticFileLink}}" class="align-right" alt="8028227088?profile=original" /></a>The third step in the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) is the implementation of a Risk Appetite and Tolerance Statement. This step is meant to sets boundaries on how much risk your organization is prepared to accept in the pursuit of its strategic objectives.</p><p>An organization-wide risk appetite statement provides direction for your organization and is a mandatory part of your assessment. As defined by <a href="http://www.coso.org/documents/ERM-Understanding%20%20Communicating%20Risk%20Appetite-WEB_FINAL_r9.pdf">COSO</a> (one of the risk management standards measured in the <a href="http://www.rims.org/resources/erm/pages/RiskMaturityModel.aspx">RIMS Risk Maturity Model</a> umbrella framework), the risk appetite statement allows organizations to “introduce operational policies that assure the board and themselves that they are pursuing objectives within reasonable risk limits.” A risk appetite statement should be reflective of your organization’s strategic objectives and serve as a starting point for risk policies and procedures.</p><p>Once your organization has documented your risk appetite (and received the Board’s approval), the question becomes how do you measure if your organization is adhering to it? The answer is to implement risk tolerances.</p><p>While risk appetite is a higher level statement that broadly considers the levels of risk that management deems acceptable, risk tolerances set acceptable levels of variation around risk. For example, a company that says it does not accept risks that could result in a significant loss of its revenue base is expressing appetite. When the same company says that it does with to accept risks that would cause revenue from its top 10 customers to decline by more than 1%, it is expressing a tolerance.</p><p><b>Why Set Tolerance Levels?</b></p><p>Operating within risk tolerances provides management with greater assurance that the company remains within its risk appetite, which in turn provides a higher degree of comfort that the organization will achieve its objectives.</p><p>The second step of RMORSA, <a href="http://www.riskmanagementmonitor.com/rmorsa-part-2-risk-identification-and-prioritization/">Risk Identification and Prioritization</a>, outlines a risk assessment process for your organization that provides quantitative language for risk based decision making. This standardized scale allows you to discuss the resulting assessment indexes to determine a uniform tolerance throughout the organization. It may not be possible to set accurate tolerances until risk intelligence has been collected over a period of time, but eventually you’ll be able to prioritize resources to the risks with the highest variation.</p><p>The process of articulating a Risk Appetite Statement and setting tolerances brings your ERM program into alignment. Every day, process owners make operational decisions about risk far from the organization’s risk appetite statement, which is set at a senior executive level. By setting tolerances, process owners are provided benchmarks they can use to measure their performance.</p><p><b>Align with Strategic Goals</b></p><p>When risk tolerances are aligned with both overall risk appetite and strategic goals, they will improve risk mitigation effectiveness and contribute to achieving your strategic goals. It is important to remember that risk appetite and tolerance levels are not static. They should be reviewed and reconsidered periodically by senior executives to keep your organization moving in the right direction.</p><p><em>To learn more about Risk Appetite and Risk Tolerance Statements, we welcome you to watch our complimentary webinar, <a href="http://www.logicmanager.com/register-orsa-compliance-webinar" title="ORSA Compliance: 5 Steps You Need to Take in 2015">ORSA Compliance: 5 Steps You Need to Take in 2015</a>.</em></p></div>Risk Leadership: Using Risk Appetite to Engage Boardshttps://globalriskcommunity.com/profiles/blogs/risk-leadership-using-risk-appetite-to-engage-boards2013-08-01T05:00:59.000Z2013-08-01T05:00:59.000ZBryan Whitefieldhttps://globalriskcommunity.com/members/BryanWhitefield<div><p><span style="font-size:10pt;">Ten years ago nine out of ten CFOs I was consulting to would tell me their CEO was too busy to meet to discuss the risk program under development. The CFO was tasked with the job and we should just get on with it. Today it is less likely to be a problem to meet with the CEO on risk, however, getting to the Board still seems to have its challenges for many risk professionals. My experience is that “risk appetite” is one of the best tools to engage the Board. <strong>This is how you can make it work:</strong></span></p><ul><li><span style="font-size:10pt;">Be clear on why Boards should care about risk appetite. The key reason is because it drives the behaviour of the executive, management and staff. It is closely linked with ensuring the organisation has realistic objectives aimed at fulfilling the organisation’s purpose.<br clear="none" /><br clear="none" /></span></li><li><span style="font-size:10pt;">Through the appropriate channels, offer to have a session with the Board to develop a risk appetite statement <a href="" style="color:#1c1c1e;" target="_blank">(download a sample risk appetite here)</a> and be clear on why. Use their language not risk-speak. If they agree, all is good.<br clear="none" /><br clear="none" /></span></li><li><span style="font-size:10pt;">If the Board does not agree to have a discussion on risk appetite and delegates the task to management, prepare the statement with senior management and forward it onto the Board for review with a paragraph along the following lines: <em>“The attached risk appetite statement will be disseminated to and used by staff and the executive to inform their decision-making. Furthermore, the statement will be used to confirm risk reporting triggers when certain risks need to be reported to higher levels of management and ultimately to the Board.”</em></span></li></ul><p><span style="font-size:10pt;">In my experience, presenting a risk appetite statement to a Board in this way leads to a full discussion between the Board and management and more often than not, the senior risk officer is invited to lead the discussion. The Board becomes engaged and now has further basis for querying why a decision has or has not come to the Board for approval.</span></p><p></p><p><span style="font-size:10pt;"><a href="http://www.rmpartners.com.au">www.rmpartners.com.au</a></span></p><p></p><p></p></div>A failing of risk appetite ...https://globalriskcommunity.com/profiles/blogs/a-failing-of-risk-appetite2013-07-11T07:47:19.000Z2013-07-11T07:47:19.000ZMartin Davieshttps://globalriskcommunity.com/members/MartinDavies92<div><p><span style="font-family:arial, helvetica, sans-serif;" class="font-size-2">A recent survey carried out by KPMG and the Economist Intelligence Unit finds that 81% of risk managers and executives fail to effectively capture risk appetite in their business models, what can we do?</span></p><p><span style="font-family:arial, helvetica, sans-serif;" class="font-size-2">In this blog posting I have linked to the new KPMG Expectations of Risk Management survey and included an infographic for fixing risk appetite.</span></p><p><span style="font-family:arial, helvetica, sans-serif;" class="font-size-2">More can be found here [ <span style="color:#3366ff;"><a href="http://causalcapital.blogspot.sg/2013/07/a-failure-of-risk-appetite.html" target="_blank"><span style="color:#3366ff;">LINK</span></a></span> ]</span></p></div>Streamline Enterprise Risk Assessments - More Value, Less Work: Free Webinarhttps://globalriskcommunity.com/profiles/blogs/streamline-enterprise-risk-assessments-more-value-less-work-free2013-02-05T18:00:00.000Z2013-02-05T18:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p style="font-size:14px;color:#303437;font-family:Arial, Helvetica, sans-serif;line-height:normal;background-color:#ffffff;">Looking back over my most popular blogs, there was a lot of interest in <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-assessment-templates/">5 Steps for Better Risk Assessments</a> and <a href="http://www.logicmanager.com/erm-software/2012/09/28/how-to-consolidate-compliance-risk-assessments/">How to Consolidate Compliance Risk Assessments</a>. Due to this interest I have created a complimentary 30 minute webinar on streamlining enterprise risk assessments complete with detailed "how to" examples and visuals that are not possible in a blog format.</p><p style="font-size:14px;color:#303437;font-family:Arial, Helvetica, sans-serif;line-height:normal;background-color:#ffffff;"><strong><a href="http://www.logicmanager.com/register-better-risk-assessments-webinar">Click here to watch</a> this On Demand Webinar or read the full invitation below:</strong></p><p style="font-size:14px;color:#303437;font-family:Arial, Helvetica, sans-serif;line-height:normal;background-color:#ffffff;"><strong><strong>On-Demand Complimentary Webinar Invitation:</strong></strong></p><p style="font-size:14px;color:#303437;font-family:Arial, Helvetica, sans-serif;line-height:normal;background-color:#ffffff;">Organizations and risk managers are under more pressure than ever before to prove the assurance and value their ERM program is providing, yet the way risk information is collected and structured today—scattered across spreadsheets and word docs—it is nearly impossible to aggregate and analyze this information in a meaningful way. Not to mention the time it takes to compile this data. As one of our CRO friends put it recently, “It not even a labor of love at this point – it’s just labor!”<a href="http://logicmanager.com/wp-content/uploads/2013/08/risk-reward-tradeoff-resized-600.png"><img class="alignright size-medium wp-image-1062" alt="risk-reward-tradeoff-resized-600" src="http://logicmanager.com/wp-content/uploads/2013/08/risk-reward-tradeoff-resized-600-300x139.png" width="300" height="139" /></a></p><p style="font-size:14px;color:#303437;font-family:Arial, Helvetica, sans-serif;line-height:normal;background-color:#ffffff;">Learn how to implement a framework with your existing risk information to make your data dramatically more useable and valuable. The structure will allow you to connect the dots between business area commonalities, aggregate assessments, connect risks to the strategic goals of the organization, put in place more effective mitigation activities, and more.</p><div style="color:#303437;font-family:Arial, Helvetica, sans-serif;font-size:12px;line-height:normal;background-color:#ffffff;"><p style="font-size:14px;">The key is being able to compare enterprise risk assessment information across functions and levels while keeping one comprehensive risk picture. In this webinar each of the following top 5 best practices will be reviewed with step-by-step tutorial with risk assessment examples on how to achieve them from where most organizations are currently in order to achieve this transparency and assurance:</p><ul style="margin:6px 0px 6px 14px;padding:0px 0px 0px 20px;"><li style="padding-bottom:4px;font-size:14px;">Taking a root-cause approach</li><li style="padding-bottom:4px;font-size:14px;">Standardizing assessment scale and criteria with risk assessment templates</li><li style="padding-bottom:4px;font-size:14px;">Linking risks to controls</li><li style="padding-bottom:4px;font-size:14px;">Connecting risks to strategic goals</li><li style="padding-bottom:4px;font-size:14px;">Embedding risk assessments in everyday activities</li></ul><p style="font-size:14px;"><strong>Who will benefit:</strong></p><p style="font-size:14px;"><strong>Risk Professionals:</strong><br /> Risk managers are feeling the pressure from their boards and senior leadership because the business environment as well as laws and regulations have changed. Risk assessments require much more discipline and rigor. Risk managers will learn how to adopt best practices so that risk assessments can be compared and utilized cross-functionally for more accurate and actionable risk management. You will also learn how to apply these best practices to streamline your non-ERM areas of responsibility, such as vendor management, information security or business continuity, to gain more time for expanding these best practices to other areas in your enterprise.</p><p style="font-size:14px;"><strong>Compliance Professionals:</strong><br /> As the number of regulations increase and change, so do the RCSAs (Risk and Control Self-Assessments) required as part of the compliance process. All risks to compliance are not equal in terms of impact, likelihood and effectiveness of current control activities. Attendees will learn how to objectively and systematically prioritize which regulations need attention from compliance risk assessments.</p><p style="font-size:14px;"><strong>Audit Professionals:</strong><br /> Auditors need an independent guide to evaluating the effectiveness of a risk management program. Learn how to prioritize risks in a timely manner to meet the newmandatory International Professional Practices Framework (IPPF) guidelines, <a style="color:#5f8bb3;" title="International Professional Practices Framework (IPPF), effective Jan. 1, 2013" href="https://na.theiia.org/news/press-releases/Pages/Revisions-to-Internal-Audit-Standards-Approved.aspx">announced by</a><a style="color:#5f8bb3;" title="International Professional Practices Framework (IPPF), effective Jan. 1, 2013" href="https://na.theiia.org/news/press-releases/Pages/Revisions-to-Internal-Audit-Standards-Approved.aspx">The Institute of Internal Auditors (IIA) </a><a style="color:#5f8bb3;" title="International Professional Practices Framework (IPPF), effective Jan. 1, 2013" href="https://na.theiia.org/news/press-releases/Pages/Revisions-to-Internal-Audit-Standards-Approved.aspx">effective Jan. 1, 2013</a>.</p></div></div>How do you Explain Risk Appetite?https://globalriskcommunity.com/profiles/blogs/how-do-you-explain-risk-appetite2012-11-01T03:48:50.000Z2012-11-01T03:48:50.000ZBryan Whitefieldhttps://globalriskcommunity.com/members/BryanWhitefield<div><p><b><i>I have had some very interesting conversations lately with Boards, Senior Managers and Risk Managers about risk appetite. Here are some insights:</i></b></p><p><b>Describing what we mean by risk appetite:</b> Risk appetite is risk speak, however, it can be easily explained. With <b>private sector firms</b> I tend to describe using dollars as the example - <i>"How much capital are you are willing to risk to try and make your forecast profit?"</i> For <b>not-for-profits</b> I tend to bring it back to values - <i>"What are you willing to do to achieve your mission? What would you not do?"</i> And for the <b>public sector</b> I tend to use their number one objective in their corporate plan - <i>"What are you willing to do to achieve your number one objective? Would a few minor adverse audit findings be OK? Would you be prepared to weather the storm if the media ran with a story about your methods?"</i></p><p><b>Why risk appetite is important in risk management</b><b>:</b> I find putting risk appetite in context with how it is used when assessing risk is quite important. <b>I use the example of crossing the road.</b> The objective is the same, however, there is always a reason (running late for a meeting, running late for a hot date, to save your 4 year-old child from being abducted by a stranger). Your willingness to get to the other side based on your assessment of difficulty level to cross the road is an expression of your risk appetite.</p><p><b>Risk Appetite Statements:</b> While risk criteria in the form of likelihood and consequence tables and a risk matrix are valuable expressions of risk appetite, staff who were not involved in the discussions that formulated them are not aware of all of the thinking behind them. Providing additional commentary on each category of risk and on the core corporate objectives will communicate a much clearer message to staff as to what constitutes acceptable behaviour.</p><p> </p><p><a href="http://www.rmpartners.com.au/">www.rmpartners.com.au</a></p></div>Understanding risk appetitehttps://globalriskcommunity.com/profiles/blogs/understanding-risk-appetite2012-09-05T17:24:37.000Z2012-09-05T17:24:37.000ZMartin Davieshttps://globalriskcommunity.com/members/MartinDavies92<div><p><span class="font-size-2" style="background-color:#FFFFFF;font-family:arial, helvetica, sans-serif;font-size:13px;">Risk Appetite is loosely defined as "the affinity a person has for taking risk when attempting to meet a specific objective".</span></p><p><span class="font-size-2" style="background-color:#FFFFFF;font-family:arial, helvetica, sans-serif;font-size:13px;">This concept of risk appetite differs from person to person or business to business and interestingly you will find that a person's risk appetite changes as they age.</span></p><p><span class="font-size-2" style="font-family:arial, helvetica, sans-serif;">In this blog we look at risk appetite; what it is, where it has been used and why it is important.</span></p><p><span class="font-size-2" style="font-family:arial, helvetica, sans-serif;">[ <span style="color:#0000ff;"><a href="http://causalcapital.blogspot.sg/2012/09/understanding-risk-appetite.html" target="_blank"><span style="color:#0000ff;">Click here to continue reading</span></a></span> ]<br /></span></p></div>Risk Appetite - Setting it Righthttps://globalriskcommunity.com/profiles/blogs/risk-appetite-setting-it-right2012-08-24T02:03:27.000Z2012-08-24T02:03:27.000ZBryan Whitefieldhttps://globalriskcommunity.com/members/BryanWhitefield<div><p>As a risk workshop facilitator I get to assist many organisations assess risk to their key organisational objectives. Interestingly the outcomes are not always about risk treatments, often they are about reviewing risk appetite.</p><p><b> </b></p><p><b>Situation One:</b></p><p>The results of the risk workshop show that three of five key strategic objectives have Extreme risk ratings. This may be due to one of two scenarios: Either you are an organisation that is on the edge of the cliff OR your risk criteria are simply wrong. If the latter, you haven’t expressed your risk appetite clearly. In this case, developing a risk appetite statement to augment risk criteria would help you to set the risk rating criteria more appropriately before the workshop.</p><p> </p><p><b>Situation Two:</b></p><p>The risk workshop results in Low risk ratings for all your key strategic objectives. Again this may be due to one of two scenarios: Either your risk criteria are simply wrong where again development of a risk appetite statement to augment risk criteria will help OR you are “at risk” of being too conservative. You may need to raise the bar higher. On the other hand, you may be very content in your apparently low risk world.</p><p> </p><p><strong>The key point is that a clearly articulated risk appetite will drive people’s behaviour so you need to set it right to drive the behaviour you want to see.</strong></p><p> </p><p><a href="http://www.rmpartners.com.au/">www.rmpartners.com.au</a></p><p> </p><p> </p></div>Manigent release Strategy & Risk Studio Lite - Free Downloadhttps://globalriskcommunity.com/profiles/blogs/manigent-release-strategy-risk-studio-lite-free-download2012-04-27T10:02:11.000Z2012-04-27T10:02:11.000ZRebecca Beardhttps://globalriskcommunity.com/members/RebeccaBeard<div><p>Following the recent launch of Strategy & Risk Studio, Manigent have released a lite version of the application to allow users to download the product free of charge! </p><p>Strategy & Risk Studio is a one-of-a-kind application enabling consultants and practitioners to design and define an organisation’s enterprise performance management, enterprise risk management and/or strategy and risk management models. The tool is based on the Risk-Based Performance Management approach, which integrates best practices from popular methodologies including the Balanced Scorecard, COSO and ISO31000.</p><p>Strategy & Risk Studio is designed to be used in one-to-one or group meetings and workshop situations which are undertaken as part of the process of defining a strategy, performance or risk management model. It provides step-by-step guidance on the definition of a best practice model, enabling the model to be defined, documented and shared collaboratively.</p><p>In addition to simply designing Strategy and Risk Management models, the Strategy & Risk Studio also provides a simple risk and controls assessment capability and the option to enter indicator data and score indicators using a RAG approach. Three indicators types are supported by the app, Key Performance Indicators (KPIs), Key Risk Indicators (KRIs) and Key Control Indicators (KCIs). Strategy & Risk Studio can also be used to replace cumbersome spreadsheet based risk and controls matrixes or spreadsheet scorecards. </p><p>Key Business Benefits<br /> - Improve productivity<br /> - Reduce reliance on cumbersome spreadsheets<br />- Improve the speed and accuracy of framework design<br />- Rapidly iterate the design of your framework<br />- Enables an innovative, engaging consultative approach </p><p><a href="http://itunes.apple.com/gb/app/strategy-and-risk-studio/id512551251?mt=8" target="_blank">Strategy & Risk Studio</a> is available to download from the App store now for just $25 (USD). <a href="http://itunes.apple.com/gb/app/strategy-and-risk-studio-lite/id520079605?mt=8" target="_blank">Strategy & Risk Studio Lite</a> is free to download from the App Store.</p><p>To learn more visit <a href="http://www.strategyandriskstudio.com">www.strategyandriskstudio.com</a></p><p> </p><p> </p><p> </p></div>What is Risk Appetite?https://globalriskcommunity.com/profiles/blogs/what-is-risk-appetite2012-03-05T10:30:00.000Z2012-03-05T10:30:00.000ZRebecca Beardhttps://globalriskcommunity.com/members/RebeccaBeard<div><p>Risk Appetite Explained <br />In the face of the many recent failures of financial institutions, following market and asset crises and in the context of mounting regulatory demands from Basel 3, Solvency 2 and Dodd Frank, risk management is a topic high on the executive agenda. In particular, much emphasis has been placed on risk appetite and the role it has to play in an enterprise risk management approach, as part of an overall strategy execution process. <br /><br />But what is Risk appetite? <br />First and foremost, risk appetite is a necessary dimension of an organisation’s policy that sets the boundaries within which their executive team and others within the business execute strategy and take risk. It is set at board level and it is not something that can or should be delegated, either to the executive team or risk team. <br /><br />What the Standards Say<br />The Committee of Sponsoring Organisations of the Treadway Commission’s (COSO) Enterprise Risk Management – an Integrated Framework, 2004 defines risk appetite as the amount of risk, on a broad level an entity is willing to accept in pursuit of value. COSO makes two key points related to appetite. Firstly, it states that [risk appetite] reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. Secondly, COSO establishes the link between appetite and strategy, stating explicitly: risk appetite is directly related to an entity’s strategy. <br /><br />The Risk Management Code of Practice from the British Standards institution, BS31100:2008 defines risk appetite as the amount and type of risk that an organisation is prepared to seek, accept or tolerate. This standard also relates appetite to strategy and governance stating: considering and setting a risk appetite enables an organisation to increase its rewards by optimising risk taking and accepting calculated risks within an appropriate level of authority. <br /><br />What Manigent Says <br />Manigent, a Strategy Execution and Risk Management Consultancy Firm, provides a slightly broader definition of risk appetite as: the amount and type of risk that an organisation is willing to accept, and must take, to achieve their strategic objectives and therefore create value for shareholders and other stakeholders. By adding ‘and must take’, Manigent’s definition expresses that taking risk is an inherent part of strategy execution and value creation. Risk is not just about avoiding potential losses, but also about exploiting opportunities. <br /><br />Why is Risk Appetite Important? <br />Many times, history has demonstrated that companies having a ‘performance-only’ approach to strategy execution, were they are prone to losses and failures once adverse circumstances emerge. The cascade of bank failures trapped into excessive credit derivatives exposures in 2008, the hard landing of the US economic after a widely identified, yet widely disregarded, asset bubble, the gigantic losses of the insurance sector in the aftermath of the technological bubble burst, the current struggle of continental banks stuck with excessive exposure to European sovereign debt, billions of rogue trading losses at Société Générale and UBS, the failure of MF Global after a strategy push for proprietary trading. Examples pleading for a risk based approach to strategy execution are countless. <br /><br />This implies, at Board level, a decision on the amount of risk the organisation is capable and is willing to take, that translate into a Risk Appetite Statement. <br /><br />The Necessary Features <br />Risk appetite statement needs to be defined at the top, in line with the strategy and the value drivers of the business, transparent, unambiguous, and cascaded down through all decision levels of the organisation. <br /><br />Rather than “are we on track to hit our targets?, board members and executives must ask a different question: “is the organisation operating within appetite?”. This question puts the alignment of risk-taking to strategy at the heart of the strategic conversation and incorporates both the performance and risk dimensions of strategy execution. <br /><br />As a board level tool, Manigent believe that the definition of risk appetite must be closely coupled with the definition of strategy. Therefore, one of the first steps in the risk appetite definition process is to define a clear set of business drivers related to the organisation’s business model and strategy. Once the board and executive have determined the business drivers, those few key determinants of success, these should then be used to define the organisational risk appetite. <br /><br />Board involvement in setting and monitoring adherence to firms’ risk appetite and the presence of actionable elements that articulate firms’ intended responses in cases of breaches in limits are two key features highlighted by the Senior Supervisors Group in their report on the risk management lessons from the 2008 crisis. <br /><br />A Risk Appetite Statement is a set a limits within which a company is allowed to operate. Any breach of those limits during the execution of the strategy must be reported to the Board that will either allow an exception or revise its risk appetite based on due justification, or take appropriate actions to reduce to risk exposure and realign the exposure of the business within its appetite. Manigent fully supports and helps his clients adhering to these good principles of corporate governance, widely recommended to the financial services industry. <br /><br />If you are interested in learning more or simply have a question surrounding Risk Appetite please email: becky@manigent.com</p></div>Building a Robust Operational Risk Appetite Statementhttps://globalriskcommunity.com/profiles/blogs/building-a-robust-operational-risk-appetite-statement2012-03-01T15:13:14.000Z2012-03-01T15:13:14.000ZRebecca Beardhttps://globalriskcommunity.com/members/RebeccaBeard<div><p><span lang="en-us" xml:lang="en-us">Andrew Smart, CEO and founder of <a href="http://www.manigent.com" target="_blank">Manigent</a>, a Strategy and Risk Management consultancy, has recently developed a whitepaper on designing an operational risk appetite statement. This paper outlines a seven step process which enables organisations to deliver an operational risk appetite statement which will meets regulatory obligations while adding real business value. This paper was recently featured in new e-magazine, <strong><em><a href="http://www.riskuniverse.com/">The Risk Universe</a>, </em></strong>which is a new online publication developed by industry professionals, for industry professionals. Focusing on operational risk management, Risk Universe aims to provide all the information Risk Managers need.</span></p><p><span lang="en-us" xml:lang="en-us">Alongside the seven step 'how-to' process/guide, the benefits of a strong appetite statement are explained and real practicalities of managing and accessing risk appetite are demonstrated, including using the appetite alignment matrix. With mounting regulatory demands faced by many financial institutions, and other regulated industries, a robust risk appetite statement assists organisations to execute their strategy execution by clearly defining the boundaries within which they can operate, and improve risk management processes by guiding tolerance setting. By following the seven step procedure, alongside the use of key risk management tools, organisations can expect to improve their strategic execution, whilst reducing risk-related losses and delivering regulatory compliance. <br /><br />To download this whitepaper, <a href="http://www.manigent.com/storage/downloads/How%20to%20Appetite%20Statement.pdf">click here</a>.</span></p></div>Meeting Your Challenge of Setting Risk Appetitehttps://globalriskcommunity.com/profiles/blogs/meeting-your-challenge-of-setting-risk-appetite-12011-11-02T03:39:54.000Z2011-11-02T03:39:54.000ZBryan Whitefieldhttps://globalriskcommunity.com/members/BryanWhitefield<div><p><strong> </strong></p><table width="432" cellspacing="0" border="0"><tbody><tr><td align="left" valign="top" style="padding-bottom:8px;padding-left:15px;padding-right:10px;font-family:'Lucida Grande', 'Lucida Sans', 'Lucida Sans Unicode', Arial, Helvetica, Verdana, sans-serif;color:#666666;font-size:11px;padding-top:2px;"><p>A well defined risk appetite endorsed by Executive Management and the Board is the singular most important element for establishing the risk culture you want for your organisation. Like many things in life, the best things don’t come easily though. The two greatest challenges are:</p><ol><li style="font-family:'Lucida Grande', 'Lucida Sans', 'Lucida Sans Unicode', Arial, Helvetica, Verdana, sans-serif;color:#666666;font-size:11px;">Dealing with disinterested Executive Management.</li><li style="font-family:'Lucida Grande', 'Lucida Sans', 'Lucida Sans Unicode', Arial, Helvetica, Verdana, sans-serif;color:#666666;font-size:11px;">Agreeing a risk tolerance that may be viewed by many as socially unacceptable or immoral.</li></ol><h3 style="line-height:1.28em;font-family:'Lucida Grande', 'Lucida Sans', 'Lucida Sans Unicode', Arial, Helvetica, Verdana, sans-serif;color:#222;font-size:16px;">Disinterested Management</h3><p>A disinterested Executive means they have not made the link between risk appetite and the behaviour of staff. Whether they like it or not, staff are absorbing signals from management and making their own assumptions about the organisation’s <span style="font-size:10pt;">appetite</span> for risk and they are making their judgements accordingly. In the absence of a well articulated risk appetite it is certain that some of the staff will have misinterpreted the risk appetite the Executive desire.</p><p>To win over the Executive you simply need to work backwards from the decision making of staff to the signals being sent by management. Use examples to point out how the signals flowed through the organisation.</p><h3 style="line-height:1.28em;font-family:'Lucida Grande', 'Lucida Sans', 'Lucida Sans Unicode', Arial, Helvetica, Verdana, sans-serif;color:#222;font-size:16px;">Socially Unacceptable Tolerances</h3><p>For many organisations, principally those only with office workers, it is simple to articulate any loss of life to be “catastrophic” for the organisation. However, even for these organisations, one death does not usually mean the extinction of the organisation. The real challenge comes for organisations that know they will experience events that are socially unacceptable to many such as mining, oil and construction companies where lives may be lost and environmental calamities may occur. To avoid these at all cost would mean the organisation could not operate, yet society wishes for the organisation to exist to provide goods or services we desire.</p><p>To manage this when documenting risk appetite you can distinguish between risk events that are due to negligence versus risk events that have occurred despite the efforts expected by a “reasonable person”. As an example, you can document an acceptance of risk that there will be fatalities in your business due to the risks of international travel that a “reasonable person” would assume in their role. This might include flying with an airline that is accredited and maintained to international standards while avoiding airlines that are not.</p></td></tr></tbody></table><p><strong>Bryan Whitefield</strong> <br /><strong>Director, Risk Management Partners</strong> <br /><a href="mailto:bwhitefield@rmpartners.com.au"><strong>bwhitefield@rmpartners.com.au</strong></a></p><p><a target="_blank" href="http://links.visibli.com/37a8e3becd332a23/?web=aed93b&dst=http%3A//www.rmpartners.com.au/" title="Risk Management Partners">www.rmpartners.com.au</a></p></div>5 Steps for Better Risk Assessmentshttps://globalriskcommunity.com/profiles/blogs/5-steps-for-better-risk-assessments2011-10-21T07:00:00.000Z2011-10-21T07:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p><span style="color:#333333;">Risk managers are charged with ensuring transparency, alignment, and forward looking views throughout the organization. The way this is achieved is through risk assessments. </span></p><p><span style="color:#333333;">Successful enterprise risk assessments can be a powerful tool for board and management level strategic decision making by connecting business activities to goals and identifying the risks that threaten to derail these strategic objectives. An unsuccessful risk assessment is little more than a form over substance activity that lacks context and actionable results. </span></p><p><span style="color:#333333;"><b>So, how do you implement a successful enterprise risk assessment</b>? </span></p><p><span style="color:#333333;">The key is being able to compare information across functions and levels while keeping one comprehensive risk picture.</span></p><ol><li><span style="color:#333333;"><b>Standardize your <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-assessment-templates/" target="_blank">Risk Assessments Templates</a></b> - Activities like vendor management, business continuity, compliance, IT, financial reporting, operations, internal audit, and others are all informal risk assessments. When these assessments are carried out on the same standards and assumptions, defined in a taxonomy, they can be compared and utilized cross-functionally.</span></li><li><span style="color:#333333;"><b>Common Root Cause <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/" target="_blank">Risk Identification</a> Approach</b> - Risk managers should provide a common root cause risk library to process owners so that when multiple areas chose the same risk, systemic risks as well as upstream and downstream dependencies can easily be identified and mitigated. This method also identifies areas that would benefit from centralized controls so the extra work of maintaining separate activity level controls is eliminated.</span></li><li><span style="color:#333333;"><b><a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/performance-management-with-erm/" target="_blank">Performance Management</a>: Alignment of Activities, Goals and Risks</b> - Risk managers need to tie root cause risks to strategic goals and trace these same risks through the process areas that they affect in order to determine which activities will roll-up to impact organizational objectives. Once these connections are made clear, risk managers are able to prioritize the effectiveness of controls, so that resources and focus are allocated to the issues that will yield the greatest benefit to the organization.</span></li><li><span style="color:#333333;"><b><a href="http://www.logicmanager.com/erm-software/product/dashboard-reports/" target="_blank">ERM Reporting</a>: Group Information for Multiple Stakeholders</b> - Because assessments are conducted on the same standards and assumptions and risks are identified at a root cause level from a common library, process owners can do one risk assessment, and the information can be sliced, diced, and aggregated to serve multiple purposes. It will provide a functional insight for the process owner, tie into governance areas like vendor management, and serve a strategic purpose by rolling-up into board level objectives.</span></li><li><span style="color:#333333;"><b><a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-appetite-risk-tolerance-residual-risk/" target="_blank">Risk Appetite</a>: Timing and Trends</b> - Risk assessments must be conducted on a regular basis and when approaching business changes, new initiatives, or high risk issues. Being able to view the trends over time gives the organization's static risk profile context and a reference point so that necessary actions can be taken when you start seeing small changes in your risk profile before things get out of tolerance.</span></li></ol><p><br /> <font color="#333333"><span>To see these best practices in action to uncover changes in risk to prioritize controls, tests and business metrics, </span><a href="http://www.logicmanager.com/streamline-governance-activities-erm-video">watch this 5 minute video.</a></font></p></div>5 Ways to put Risk Appetite into actionhttps://globalriskcommunity.com/profiles/blogs/5-ways-to-put-risk-appetite2011-04-12T05:00:00.000Z2011-04-12T05:00:00.000ZSteven Minskyhttps://globalriskcommunity.com/members/StevenMinsky<div><p>An organization-wide <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-appetite-risk-tolerance-residual-risk/" title="risk appetite">risk appetite</a> can be a powerful statement that gives your risk or compliance program direction. However, like any policy, risk appetite without accompanying action is nothing more than an idea.</p><p>So how do you give your risk appetite teeth? How do you make it an actionable guide for your organization?</p><p>Here are five recommendations to put your risk appetite into practice.</p><p><span><strong>1. Translate <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-appetite-risk-tolerance-residual-risk/" title="risk appetite">risk appetite</a> to the process level.</strong></span></p><p>Every day your front-line managers are making operational decisions about risk, far from your risk appetite policies. This is where income is generated, where employees interact with customers, and where emerging liabilities are first visible.</p><p>To successfully implement your risk appetite you need to identify and set risk tolerances at this level of operations; at the front-line process level. This will allow you to connect front-line decisions with your overall risk appetite and determine which processes are out of range.</p><p><span><strong>2. Set and measure <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-appetite-risk-tolerance-residual-risk/" title="risk tolerances">risk tolerances</a> around <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/risk-identification/" title="root causes analysis">root causes analysis</a>.</strong></span></p><p>Setting risk tolerances around front-line processes isn't enough to truly put your risk appetite into action. You also need to be monitoring root causes of risk at this level.</p><p>For example, say your risk appetite sets a low tolerance for customer dissatisfaction and as a goal you aim to increase customer satisfaction. You could set goals for a particular customer satisfaction survey. However, this metric doesn't offer any actionable solution to improve customer service.</p><p>Instead, go to the root causes of customer dissatisfaction with metrics such as call wait time, email response time, or case volume. Unlike the results of a survey, these metrics are actionable if they are found to be outside of their defined tolerance.</p><p><span><strong>3. <a href="http://www.logicmanager.com/erm-software/product/monitor/" title="Risk metrics">Risk metrics</a> need to be forward looking.<br /></strong></span></p><p>Another problem with our customer service survey comes from the time to it takes to compile responses and analyze aggregated results just to be able to make a decision. With a survey you'll always be acting on customer impressions from last month as an effect of last year's policies.</p><p>Instead, your metrics need to be looking to the future. Back to our customer service department, case volume, for example, is available as cases are created and will allow you to detect emerging trends long before they have significantly affected your organization.</p><p><span><strong>4. <a href="http://www.logicmanager.com/erm-software/product/risk-taxonomy/" title="Standardize">Standardize</a> your risk metrics enterprise-wide.</strong></span></p><p>Underlying risk metrics need to be comparable over time, across levels, and across silos for a risk tolerance to be meaningful.</p><p>Using our customer service metrics again, re-opened cases might a good root-cause metric, but it's not comparable over time or across products as the number of total customers will vary. Instead measuring the percent of re-opened cases may be a more meaningful metric as it's value is independent of customer volume and is thus comparable both over-time and across silos.</p><p><span><strong>5. Align your risk tolerances with your <a href="http://www.logicmanager.com/erm-software/knowledge-center/best-practice-articles/performance-management-with-erm/" title="strategic goals">strategic goals</a> and business model.</strong></span></p><p>Risk tolerances will naturally develop from your overall risk appetite, but they also need to be in line with your organization's goals. Your organization might define a very low tolerance for customer dissatisfaction, but if you're attracting lots of high cost customers, then this policy isn't in line with a discount business model.</p><p>When risk tolerances are aligned with both overall risk appetite and strategic goals, they will both improve risk mitigation effectiveness and contribute to achieving your strategic goals.</p><p>To see the power of these recommendations in action, see our video "<a href="http://www.logicmanager.com/streamline-governance-activities-erm-video" target="_blank">Streamlining Governance with ERM</a>".</p></div>