The Curse of Risk Appetite

In this post, I go back to one of the fundamental aspects of an ERM framework: risk appetite. ‘The Curse of Risk Appetite’ is part of the title of an interesting paper reviewing the misuses of risk appetite.[1] Some of the misuses described in the paper might sound familiar, but perhaps the key point to take away from the paper is that there is a potential for risk appetite to become synonymous with ‘a consideration of risk’. I am not sure this was ever the intention. 

The paper includes several useful suggestions to enhance risk appetite. They are focused on the long-run value of the firm and on the structure of risk appetite statements, reflecting a view that risk is the likelihood of falling below critical levels of performance. However, my attention was really caught by the authors’ suggestion to improve the organisational process for risk management. They suggest that a risk function’s role should be defined to include responsibility for evaluating the combined effect of strategic initiatives and capital budgeting on the firm’s overall risk profile.

On one level, this prescription is consistent with the view that the aim of the risk function should be to ‘protect and enable’, with the emphasis on the ‘enable’ aspect which sometimes gets overshadowed by ‘protect’. I am attracted to this suggestion because it turns a vision into a practical requirement that can be incorporated into an articulation of roles and responsibilities for a CRO or risk function. 

If, however, this was implemented literally in UK financial services, I suspect there would be an issue with regulators’ expectation about the independence of the risk function (second line of defence) from the business (first line). 

A similar outcome could be reached by clarifying that the role of the CRO/risk function includes providing a risk opinion in the early stages of the consideration of major strategic initiatives that have the potential to alter the business’s risk profile. The emphasis on timing is important. Providing a risk opinion only when major strategic initiatives are presented for approval is unlikely to add value. A CRO/risk function opinion in the early stages is likely to support consideration of the details of the initiatives and how they can be shaped to strike the appropriate balance between risk and return.

If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here. 

---

[1] Alviniussen, Alf and Jankensgård, Håkan, The Risk-Return Tradeoff: A Six-Step Guide to Ending the Curse of Risk Appetite (May 7, 2018). 

Risk Assurance: The Challenge Ahead

I wrote about risk assurance a while ago (here). More recently, I have had a chance to talk with a few people in banking and consulting about it, and to reflect further on the subject.

By way of background, my working definition of risk assurance is a structured activity undertaken by the risk function (second line) which is aimed at evidencing that risk management is embedded in the business. Feel free to comment on this definition.

The important thing about risk assurance is that it matters because it contributes to shifting (or to maintaining, if you wish) the appropriate risk culture in the business. What do I mean by this? I hope we can all agree that the appropriate risk culture in financial services is one that includes the following:

• the business takes into account risks in decision making and can evidence that, including compliance with regulatory requirements; and
• the risk function provides the parameters for taking into account risk in decision making (risk appetite framework, stress testing, etc) and aggregate risks.

Truly achieving that is a challenging journey that takes time. Many insurers and banks started the risk management journey as a result of regulatory requirements—Solvency 2 or Basel. In practice, this has meant that sometimes risk functions have taken up activities like approvals that belong to business functions. Risk assurance will generate evidence about how risk management operates in practice. It will also help to shift the focus of the risk function—and, in turn, the business—in the appropriate direction.

I have worked with a number of clients to implement programmes of risk assurance. Interestingly, these engagements have turned out to be rather different because they must reflect the starting point for the business. In one case, the risk function was well resourced, and the focus was planning. In another case, the focus was a combination of up-skilling and evidencing through pilot risk reviews that the activity can add value.

Leaving aside the considerations associated with implementation, it is important that there be a shared perspective about the overall aim of risk assurance, i.e. ‘integrated assurance’. This reflects two simple observations:

• internal audit functions already provide assurance about the overall control environment;
• from a Board perspective, assurance is assurance, regardless of which team/line of defence provides it.

In other words, the aim would be to develop a risk-based assurance plan which covers deliverables by 2LOD and 3LOD in such a way that the Board can understand where independent assurance has been provided.

I would be interested to hear your thoughts.

If you found this post useful, you may want to subscribe and receive further posts by email – see box on the right hand side of the screen or click here. 

The Three Lines of Defence: An Enforcement Perspective

Much has been written about the three lines of defence model, including whether there are really three lines of defence (or any other number) and whether the concept is dead.  I personally regard the three lines of defence as a mechanism to clarify roles and responsibilities and underpin the risk management activities of different functions in financial services.

This week there was good evidence that the concept is alive and well.  The FCA issued a penalty to Aviva Investors for failure to manage the conflicts of interests between itself and clients, and between different clients (full paper here). 

From a risk management perspective, there were a couple of interesting lessons:   

1.  The increased size of compensation paid as part of the enforcement case relative to the size of the regulatory fine; in this case the fine was £17.6m and the compensation to eight funds was £132m. 

2.  The FCA has drawn an explicit parallel between failures of the three lines of defence model and Principle 3 which requires that an authorised firm “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”  

The articulation of the case looks at the performance of each line of defence and articulates the observed failures which provides a useful checklist.  

1. Weaknesses in the first line of defence 

• unclear split of responsibilities between first and second line of defence 
• failure to implement appropriate controls  
• lack of system to capture the relevant information 
• weaknesses in management information produced 
• culture focused on performance together with performance management that often overlooked the importance of risk and controls  

2.  Weaknesses in the second line of defence  

• inadequate compliance monitoring 
• inadequate compliance resource and capability 

3.  Weaknesses in the third line of defence  

• unclear process to accept the risk associated with control weaknesses 
• dependency on strategic change projects without adequate consideration of whether they address the findings and support the closure 
• lack of testing of the closure of audit issues

Intuitively this characterisation of systems and controls around the three lines of defence is not new; in my view, rather, it is the explicit recognition in an enforcement case that is new.

You can subscribe to future posts here.

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page FCA enforcement.