Setting appropriate risk appetite

Jing Zhao, Director Third Party Data and Analytics, USAA

Below is an insight into what can be expected from Jing’s session at Vendor & Third Party Risk USA 2023.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

What is the best way to govern risk appetite?

The best way to govern risk appetite is to ensure the following attributes are met:

  • The risk appetite metric(s) is being reported and actioned on at the appropriate management levelrelative the highest level of risk in the third party space.
  • The metric(s) measures the ‘so-what’ of the business and has clear actionable steps to maintain warning and breaching levels.
  • The metric(s) is designed in collaboration with key risk domain owners as the third party space is the intersection of all risk domains
  • The metric(s) is reviewed by risk partners (compliance, second line of defence, etc) to remove bias and unintentional weighting
  • Hold the parties accountable to drive the necessary actions to maintain risk appetite within tolerance levels
How do you best set risk appetite?

From our experience, the best way to set a risk appetite is to have a framework on the usage of operational risk metrics, key risk indicators, and risk appetite metrics. In our case, our operational risk metrics measure the day to day risks of the program, our key risk indictors are a set of leading indicators to support the risk appetite, and our risk appetite is the true business outcome for the highest risk domains in the company.

To set the limits of the risk appetite, the best way from our experience is to use a combination of statistical analysis, subject matter consultation, industry collaboration, and senior management input.

Why is it important to review business reports and set limits?

A risk appetite without limits is like not having a risk appetite at all. There’s no call to action if there are no warning triggers or no breach triggers. Setting appropriate limits will inform senior management on the risks that are occurring in the third party space and collectively drive results through their sphere of influence as many of the action agents may not be under third party program’s direct control.

We require a very detailed write up of an exceedance package that is reviewed and approved by our second line of defence and Third Party program executive to document what actions need to be taken, by who, and by when, to have the risk appetite below the set limits.

What main challenges are brought when you don’t work through business relationships and review potential pushbacks?

It is critical to collaborate with all stakeholders from in the initial design of the risk appetite. As the intersection of all risk domains, the third party risk appetite needs to consider all attributes of risk that exist in the company. Usually, the risk domain owners do not sit directly under control of the third party program, making early engagement critical to the process. Third party program is also an enterprise function, adding an additional layer of complexity to engagement other lines of business leaders to align on the risk appetite.

Some of the symptoms of not working with business partners include:

  • Derailment of design and execution
  • Finger pointing of issues
  • Lack of support as action agents
  • Lower quality design on the risk appetite
  • Additional ideas missed from other subject areas

Another critical item is to engage stakeholders at the ‘right’ level. We have had experiences working closely with the individual contributors of a certain group, only to be derailed by senior management, causing rework and frustration for everyone. Give the risk appetite is intended to the measure the most critical risk, senior management engagement is important. Senior management also brings a different level of perspective than the day to day operators.

While this all sounds cumbersome; early and often engagement with the stakeholders at the right levels will make setting the risk appetite much smoother.