Campbell Nicoll, Chief Risk Officer, Regional Australia Bank
For any business it is important to create a culture that understands the amount of risk a business is prepared to take and this must be developed by the board and management to ensure that business can take advantage of business opportunities by ensuring the risks associated with that opportunity are analysed and assessed and where possible the risks quantified.
To create the risk environment the board and management need to explore their strategy and how this will interplay with the operational environment. This will enable a business to set their strategic risks from this the business can then develop the appropriate risk management frameworks which enables risk to quantified and measured.
To create an appropriate risk environment the Board must develop a risk management strategy (“RMS”) which is the articulation from the board of how risk will be managed and what an effective risk management environment looks like.
This document will contain descriptions of different risk categories to ensure that the business has a common language. The creation of a common language is an imperative as everyone in a business is an owner of risk.
Once a common language has been defined then a business needs to define the quantity of risk it is prepared to take. This is developed through the Risk Appetite Statement (“RAS”). Whilst the RAS is a document approved and developed by the board the most successful implementations of RAS are ones which are developed in conjunction with the business. By building a RAS from both a ground up as well as top down basis you are able to capture the goals the business believes it can achieve as well as ensuring that these are aligned the business goals within the board’s strategy.
A well-defined RAS will have a number of key risk indicators (KRI’s) which act as a detective or predictive control which is a quantifiable measure for each risk category that acts as a proxy for the amount of risk a business is taking. It is important that any RAS has a mixture of detective and predictive measures so that the business is measuring not only what has happened but also what might happen in the future.
Whilst the RAS is a key document that is aligned to strategy you must then find a way to embed this into the business. By developing the top down / ground up approach to the RAS the business will have a degree of ownership. This approach enables leaders in different areas of a business to articulate how RAS impacts their part of a business as well as being able to discuss how they form part of the strategic environment of the overall business.
Once the RAS has been set and articulated there is the need to provide ongoing reporting t of KRI’s. Reporting on KRI’s will only be successful if there is insightful commentary provided when risks are emerging. The commentary provides the why as to how the risk has manifested whilst the KRI itself only provides the quantum of the risk. The quantum is insufficient to tell management and the board whether the amount of risk is unacceptable or not so the commentary needs to provide insight as to whether this is something the business needs to accept or stop. It is always important to remember that risk environments are constantly evolving and changing so it is reasonable to expect KRI’s to evolve with the risk environment.