Risk Appetite and Risk Tolerance

Question 1

What is the definition of risk appetite according to Hopkin?

Answer 1

The immediate short term willingness of an organisation to undertake an activity that involves risk. It can be the total value of corporate resources that the board is willing to put at risk. It can only be looked at in the context of STOC.

Question 2

What is the IRM definition of risk appetite?

Answer 2

The amount of risk that an organisation is willing to seek or accept in pursuit of long term objectives.

Question 3

What is actual risk exposure?

Answer 3

The total cost of risk (all types of risk). There should be adjustments made to factor in the correlated nature of some risks rather than the sum of individual risks.

Question 4

What is the risk universe?

Answer 4

All risks considered at board level.

Question 5

How should risk appetite be viewed?

Answer 5

It should be viewed within the internal and external context of an organisation, its strategy, tactics, operations and compliance core processes.

Question 6

What is the definition of risk tolerance?

Answer 6

COSO ERM 2004 - The acceptable level of variation relative to a achievement of a specific objective, and often best measured in the same units as those used to measure the related objective.

Question 7

How are risk tolerances used?

Answer 7

Management considers the relative importance of the objective and aligns risk tolerances with the risk appetite. Operating within risk tolerances helps ensure that the entity remains within its risk appetite, and in turn, achieve its objectives.

Question 8

How may risk tolerances be expressed?

Answer 8

Can be expressed in absolute terms - “we will not expose more than x% of our capital losses in a certain line of business.”

Question 9

How may a firm ensure that core processes are carried out in line with the risk appetite?

Answer 9

Delegation of Authority - sets authorisation limits, expenditure limits and other constraints.

Question 10

What is the process for setting a risk appetite statemen - six stages?

Answer 10

1. Identify stakeholders and their expectations - CSFSRS
2. Define company wide risk exposure through analysing STOC as set out in the risk register.
3. Establish the desire levels of risk exposure that will lead to a risk appetite statement that provides a set of qualitative and quantitative statements.
4. Define the range of acceptable volatility or uncertainty around each of the types of risks leading to a statement of acceptable risk tolerances.
5. Reconcile the risk appetite and risk tolerances with the current level of risk exposure and plan actions to bring risk exposure in line with appetite.
6. Formalise and ratify a risk appetite statement, communicate the statement with stakeholders and implement accordingly.

Question 11

How are risks handled?

Answer 11

EM3 - Embrace, Mitigate, Manage, Minimise

Opportunity risks are embraced (strategy)
Uncertainty risks are managed (tactics)
Hazard risks are mitigated (operations)
Compliance risks are minimised (compliance)

Question 12

What types of things might an insurer have zero risk appetite for?

Answer 12

• Censures, fines or prosecution
• Failure of internal controls
• Damage to brand, reputation from inappropriate acceptance of risk.
• Underwriting new classes of business without management authority.

Question 13

According to the UK Corporate Governance Code, who is responsible for determining the nature and extent of the risks inherent in achieving strategic objectives?

Answer 13

Board

Question 14

What are the principles underpinning risk appetite (6)?

Answer 14

1. Setting risk appetite is complex - acknowledge the complexity.
2. Risk appetite needs to be measurable - how are performance indicators impacted by risk e.g. shareholder value or Economic Value Added.
3. Risk appetite is not a single, fixed concept - there are a range of risk appetite for different risks. These appetites may vary over time.
4. Risk appetite should be developed in the context of the organisation’s risk management capability and risk management maturity. Culture and systems and processes to manage risk form part of the context.
5. Risk appetite need to be addressed at all levels of the organisation for it to make practical sense - STOC.
6. Risk appetite should be integrated with the control culture of the organisation e.g. propensity to take risk and the propensity to exercise control. The propensity to take risk may be greater at a strategic level, while the propensity to exercise control may be greater at an operational level.

Question 15

What are the 5 tests for risk appetite frameworks?

Answer 15

1. Do managers know the extent to which they are permitted to expose the firm to the consequences of an event or situation?
2. Do the executives understand their aggregated and interlinked level of risk to determine whether it is acceptable or not?
3. Do the board and executive leadership understand the aggregated and interlinked level of risk for the whole organisation?
4. Are managers and executives clear that the risk appetite is not constant?
5. Are risk decisions made with full consideration of reward?