By Jacob Rosengarten, Principal, Wolf/Rosengarten Group
What, for you, are the benefits of attending a conference like the ‘Operational Risk Management Congress’?
It is always beneficial for risk professionals to assemble from time to time, and share best practices with other risk practitioners. Risk management often entails identifying “straws in the wind” that could be caused by anomalous processes, some of which may come from outside of the company. Conferences such as the present one can help risk practitioners more timely identify unusual risk processes or trends, as they will be exposed to risk topics that both timely and relevant while having the opportunity to discuss their impressions and “learnings” with other attendees.
In the case of risk appetites, the conventional risk literature says that appetites should be cascaded across the organization yet, in practice, many risk professionals find this hard to do. Reasons include:
- By design, risk appetites are often not publicly disclosed and are often not communicated beyond the Board and most senior leaders in the organization. This result arises because firms want to control what information makes it into the public domain in order to help manage legal exposures. When this occurs, robust cascading is not an option.
- Board members and colleagues are often more conversant in financial (i.e., accounting) concepts than risk concepts, all of which inhibits communication and understanding. And so even if a risk concept is robustly cascaded, does that mean it is robustly understood?
- Some risk appetites give no insight into the sources of risk that are supposed to be measured. An example might be a volatility appetite. The existence of the appetite may give no color into which sources of activity are to produce the volatility. The point here is that not all volatility is identical, and so if a certain level of dollar volatility is produced by a process which is not anticipated by the business (e.g., an uninsured building fire), it might be viewed as a risk failure. In contrast, the same level of dollar volatility produced by an anticipated activity (e.g., slowing sales due to a weaker economy) might be deemed acceptable. Further a level of dollar volatility that might be acceptable over, say, a one-year time horizon might be completely unacceptable if it occurs in a calendar month, and so on.
- Deliberative bodies like boards and risk committees can change their view of acceptable risk levels after a large event and so while risk appetites may exist, they may not be fully internalized and the consequences of same fully understood. This is not necessarily a failure of process, but rather due to the psychology of how we humans process surprises and large risk events. This psychological dimension must be addressed by risk professionals to increase the likelihood that organizations are truly prepared for the consequences of losses.
How can risk professionals best link risk appetite to decision making?
In my presentation, I will suggest that there are established processes that firms have used for years to manage their businesses. There are typically three processes:
1) a strategic plan; 2) a financial budget; and 3) financial monitoring of budget variances.
These three processes are interlinked. For example, for a financial budget to be produced a strategy must exist, as without a strategy a budget is just a column of numbers. For a budget to exist, a strategy must be present or else how else would there be any road map as to whether the budget will help the firm accomplish its short term and long-term goals? Finally, if a budget is produced, this suggests scarcity and so it is only natural to monitor and understand financial variances from financial budget.
Since risk is the “fuel source” that generates returns, there must be a duality or correspondence between every line item in a strategic plan, a financial budget and financial variance monitoring. My presentation will suggest ways that key members of the organization can understand that correspondence and produce risk profiles that aggregate into a desired profile.
How do you see more effective associations being made to identify and develop risk appetite for the future?
As the risk management process matures, there is more guidance given as to what constitutes a robust set of risk appetites. In some cases, surveys from industry associations or thought leaders (e.g., consulting forms) provide insights into what risk appetites are being adopted by competitors.
As new forms of risk emerge, one of the challenges facing risk professionals will be to ensure that a corresponding risk appetite is developed. To give one example, in the case of cyber risk, some firms regard this as a type of risk already addressed by an overarching operational risk appetite statement, while other firms regard cyber exposure to be a new “tower of risk” that is so substantial and unique in its characteristics that it merits its own risk appetite. Yet another example might be the risk implications of new forms of geopolitical risk (ranges from confiscation risks, to changes in currency convertibility, to acts of war or terror, state sponsored cyber events, etc.). As risk evolves and new forms emerge, risk professionals will need to ensure that the risk appetite process stays current to robustly address.