Chapter 10 – Risk culture, appetite and tolerance Flashcards
What are the two perspectives of defining risk appetite?
- The level of risk exposure that an organisation is prepared to accept; or
- Organisation’s willingness to take a defined level of risk in the pursuit of its strategic objectives
An organisation must decide the level of risk exposure that provides an optimal balance between the upsides and downsides of risk-taking. Most organisations can only achieve their objectives if they take risks. Without risk there would be no opportunities to exploit, no products and services, and no returns to earn.
What is risk tolerance?
Risk tolerance – may be used instead of risk appetite, especially where the focus is on downside risk
- An organisation may set tolerance limits for health-and-safety incidents – minor incidents may be tolerated, but not major incidents such as death or serious injury
- Tolerance limits may be set for a range of KPIs including staff turnover rates, staff absence rates, customer complaints, system availability, etc
- Tolerance limits can be linked to RAG reporting – any risk or metric that is in the red is intolerable
- Blockbuster/Kodak
What is risk capacity?
Risk capacity – **denotes the maximum enterprise-wide level of risk to which an organisation may be exposed
**
Risk capacity is usually a function of an organisation’s financial strength. Organisations that have significant financial reserves or low levels of debt can normally take more risk. Risk capacity may also be determined by governments, regulators or other stakeholders (such as shareholders and consumers). For example, public concern about the risks associated with activities such as fracking or genetically modified foodstuffs may mean that organisations decide against investing in them despite the potential financial returns. Northern Rock, Ratner, Austrian wine
What factors should be considered when determining risk appetite?
- Legal and regulatory requirements
- The risk preferences of key stakeholders
- The specialist knowledge, skills and experience
- The strength of an organisation’s balance sheet – influence the ability to withstand unexpected losses
- External factors such as technological change or economic growth – Tesla and Uber
What is the role of the board and CRO in relation to risk appetite?
The role of the board
The board is best placed to determine risk appetite because it has a broad organisation-wide view and exists to represent the interests of stakeholders. The board is also often responsible for determining strategy and an organisation’s objectives. These are factors that influence and are influenced by risk appetite.
The role of the chief risk officer and risk function
Where an organisation has a CRO or risk function, they should help to facilitate the board’s role in setting risk appetite. This might include organising a workshop or providing information to help the board make a decision.
What is macro culture?
- the country or region where a person grew up;
- religious or family influences;
- where they were educated and the level of that education; and
- their professional training and experiences, for example, company secretary, lawyer or accountant.
What is organisational culture?
Organisational culture - relates to how its employees collectively think, feel, perceive, act and behave. Humans are social animals and most exhibit a strong desire to fit in. An organisation’s culture provides an implicit but powerful co-ordination mechanism for how its employees live and work together.
What are the three layers of organisational culture?
- the visible products of the culture – e.g. how people dress, the design and layout of the organisation’s premises, the jargon in use, the design of its policies and procedures
- the beliefs and values that are spoken about – a major influence here is the tone that comes from the top management; what they say is important to them and the organisation – e.g. financial success, social values, taking a short or a long-term view, etc
- the deeper underlying assumptions – behaviours that are so ingrained that people do not realise that they are exhibiting them – e.g. competitiveness, aggressiveness, politeness or friendliness
What is risk culture?
Risk culture can relate to many different types of behaviour and attitude in relation to risk-taking and risk management, including:
* the level of risk-taking that is considered to be desirable (high or low);
* how different types of risk are perceived and whether they are considered to be high or low, or good or bad;
* the level of risk control that is considered to be desirable (high or low);
* why risk management is perceived to be necessary, such as whether it is seen as value enhancing or simply a boxticking compliance exercise;
* whether or not risk compliance and risk governance are viewed as important activities;
* the general importance attached to risk management and risk-management goals;
* the level of awareness that an organisation’s employees have about the risks to which it is exposed;
* how employees respond to policies and procedures (whether they are seen as helpful or unnecessary red-tape);
* whether risk events are perceived as learning opportunities or an opportunity to blame others; and
* whether employees are prepared to report risk events and control weaknesses.
What are risk sub-cultures?
Most organisations have risk sub-cultures that fit under the overall organisational risk culture. These sub-cultures may emerge in different countries of operation, business lines, functions, departments, teams or workplaces.
Risk sub-cultures are influenced by the broader organisational risk culture but significant deviations can exist. These deviations are not necessarily a problem and may facilitate the smooth functioning of risk-taking and risk management in different parts of the organisation. However, issues can occur from time to time.
Barclays LIBOR scandal illustrates the problem of risk sub-cultures
Outline some common tools to identify, monitor and control risk culture
- employee surveys
- employee focus groups
- interviewing staff
- analysis of HR info (staff turnover, exit interviews, etc)
- internal audits
Using Simons’ levers of control (BBDI), provide some examples on how an organisation can control risk culture
Belief systems - tone and action from top, organisation’s values, codes of conduct
Boundary systems - risk appetite, policies and procedures, mandates and limits of authority
Diagnostic systems - used to motivate, monitor and reward behaviours - employee performance evaluation, remuneration arrangements, disciplinary and grievance processes
Interactive system - stimulate organisational learning - training and communication, risk communication and escalation processes, lessons learned
