Future Finance, Fintech, DeFi | Daily News

An effective risk tolerance, appetite, criteria, etc. statement

Hopefully, you have seen the consultation paper (link below) on Risk Appetite and Risk Tolerance published by the Institute of Risk Management. While it doesn’t close the debate over risk appetite/tolerance, or how (in my opinion) to define and communicate related corporate expectations on evaluating risk, it has some interesting content. I hope you will read it and share your thoughts with IRM staff.

An effective risk tolerance, appetite, criteria, etc. statement
My response was based on a few principles. I believe any guidance for evaluating risk levels (whatever you call it: risk appetite statement, risk criteria, or something different) has to meet certain requirements:

1. Managers making decisions need to understand the degree to which they (individually) are permitted to expose the organization to the consequences of an event or situation. Any ‘risk appetite’ or similar statement needs to be practical, guiding the manager to make what I call risk-intelligent decisions. So, guidance has to be effective at the level of the manager’s decision
2. Executives need to be able to understand the aggregated and interlinked ‘risk level’ so they can determine whether it is acceptable or not. So, guidance has to be effective at the aggregated level
3. The board and executive leadership need to understand the above for the organization as a whole. So, guidance has to be effective at the entity level
4. Risk appetite is not constant. It should change as the environment and business conditions change. Any guidance for managers and executives has to realize this. Anything approved by the board has to have some flexibility built in
5. Risk decisions need to be made with full consideration of reward. Guidance needs to help managers and executives take an appropriate level of risk for the business, given the potential for reward. Consider the ROI standard on capital projects: sometimes it is appropriate to SET a standard that the reward (likelihood and potential magnitude) has to be some multiple of the risk (likelihood and potential magnitude). Setting levels for risk without regard to reward is a recipe for failure

Do you agree with these principles? If not, how would you change them?

Link : www.theirm.org/publications/risk_appetite.html

Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.

Mercredi 11 Mai 2011

Nouveau commentaire :

Your email address will not be published. Required fields are marked *
Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Finyear: latest news, derniers articles