This document discusses the importance of risk appetite and embedding risk culture at organizations. It begins by defining risk appetite as the amount and type of risk an entity is willing to accept over a set period of time to achieve its objectives. The document then notes that weaknesses in risk appetite governance contributed to the financial crisis and that properly establishing and monitoring risk appetite is a board responsibility. It stresses that risk appetite should be integrated into strategic planning and outlines how organizations can set, execute, and monitor their risk appetite.

1. ShapingYour Culture via Risk Appetite
Embedding the tone from the top
Prepared
for:
StratexSystems
Webinar
Series
18
October
2012

2. Page
§
2
About StratexSystems
“StratexPoint
enabled
us
to
reduce
the
value
of
our
opera6onal
losses
by
94%,
the
volume
by
63%
and
our
economic
capital
provision
by
23%”
-­‐
Head
of
Opera=onal
Risk,
HML
-­‐
Skipton
group
Our
mission
To
provide
an
integrated
strategy
and
risk
management
solu8ons
which
enhances
strategy
execu=on,
enhance
capital
efficiency
by
15%
and
reduce
opera=onal
losses
25%
while
providing
100%
confidence
that
your
business
is
opera=ng
within
appe=te.

3. Page
§
3
Agenda
§ What is Risk Appetite?
§ What do we mean culture & risk culture ?
§ Embedding the ‘tone from the top’

4. Risk
Appe=te

5. Page
§
5
The credit crunch and subsequent fall-out is rewriting
the rules on strategy execution and risk management

6. Page
§
6
Corporate governance weaknesses related to Risk
Appetite contributed to the credit crunch
Supervisors
see
insufficient
evidence
of
board
involvement
in
seOng
and
monitoring
adherence
to
firms’
risk
appe=te.
Risk
appe=te
statements
are
generally
not
sufficiently
robust;
such
statements
rarely
reflect
a
suitably
wide
range
of
measures
and
lack
ac8onable
elements
that
clearly
ar8culate
firms’
intended
responses
to
losses
of
capital
and
breaches
in
limits.
Board-­‐level
engagement
in
risk
oversight
should
be
materially
increased,
with
par8cular
aKen8on
to
the
monitoring
of
risk
and
discussion
leading
to
decisions
on
the
en=ty’s
risk
appe=te
and
tolerance.
Remunera=on
structures
for
all
such
“high
end”
employees
are
appropriately
aligned
with
the
medium
and
longer-­‐term
risk
appe=te
and
strategy
of
the
en8ty.
In
essence,
the
obliga8on
of
the
board
in
respect
of
risk
should
be
to
ensure
that
risks
are
promptly
iden8fied
and
assessed;
that
risks
are
effec8vely
controlled;
that
strategy
is
informed
by
and
aligned
with
the
board’s
risk
appe=te;
and
that
a
suppor8ve
risk
culture
is
appropriately
embedded
so
that
all
employees
are
alert
to
the
wider
impact
on
the
whole
organisa8on
of
their
ac8ons
and
decisions.

7. Page
§
7
Organisations are increasingly looking to ‘Risk
Management’ as a source of competitive advantage
Neither
too
cau=ous
nor
too
reckless,
the
best
companies
use
their
risk
management
capabili=es
to
adjust
either
their
capacity
or
their
appe=te
to
make
more
prudent—
and
ul=mately
successful—
investment
decisions.
Source:
Accenture
2011
Global
Risk
Management
Study
64%
Almost
two-­‐thirds
of
Risk
Masters
64%
indicate
that
their
risk
management
capabili=es
provide
compe==ve
advantage
to
“a
great
extent,”
compared
with
only
42%
of
the
peer
set.

8. Page
§
8
Evidence suggests many corporate governance
weaknesses and Board level challenges still exist
“the Board is responsible for determining the nature and extent
of the significant risks it is willing to take in achieving its strategic
goals.” UK Corporate Governance Code, 2010
21%
“only
21%
align
their
risks
with
their
business
strategy”
–
Grant
Thornton
Corporate
Governance
Review
2011
Where
the
Board
need
to
spend
more
=me…
70%
Strategy
42%
Execu=on
47%
Performance
Management
67%
Risk
Management
21%
“Only
21%
of
directors
surveyed
claim
a
complete
understanding
of
their
companies’
current
strategy”
–
Mckinsey
Global
Survey
–
Corporate
Governance,
2011
“results
indicate
a
need
to
be0er
educate
Boards
on
industry
dynamics
and
how
their
companies
create
value...”
Approx.
1500
par=cipants

9. Page
§
9
What is Risk Appetite?
§ The COSO definition provides ‘What,Who,When and
Why’ of risk appetite
§ What: the amount and type of risk
§ Who: an organisational entity
§ When: over a defined time horizon
§ Why: to achieve the objectives of the entity
Risk
appe8te
is
the
amount
and
type
of
risk
that
is
acceptable
to
be
taken
by
an
organisa8onal
en8ty
over
a
defined
8me
period,
to
achieve
the
objec8ves
of
that
en8ty
–
COSO
Enterprise
Risk
Management
Risk
appe<te
sets
the
boundaries
within
which
strategy
is
executed
–
StratexSystems

10. Page
§
10
Risk Appetite should be integrated
into your organisational strategic
framework
Business
Goals
Business
Model
Business
Drivers
Internal
Analysis
External
Analysis
Business
Objec=ves
Strategy
Appe=te
Appe=te
Alignment
Risk
Management
Performance
Management
Appe=te
Iden8fy
strengths
&
weaknesses
Iden8fy
threats
&
opportuni8es
Is
our
business
model
fit
for
purpose?
Is
our
business
model
fit
for
purpose?
Are
we
opera8ng
within
appe8te?
Manage
threats
&
opportuni8es
Are
we
on-­‐track
to
deliver?
Manage
strengths
&
weaknesses
Appe=te
SeYng
Execu8on
Formula8on
SeOng
§ From
high-­‐level
strategies
to
specific
business
objec8ves
§ Define
specific
business
objec8ves
and
appe8te
for
specific
en8ty’s
§ Alloca8on
of
scarce
resources
by
en8ty,
risk
category,
product
lines
Execu=on
§ Are
we
on-­‐track
to
achieve
our
business
objec8ves
§ Are
we
opera8ng
within
appe8te
(are
we
taking
too
much,
or
not
enough
risk?)
§ Do
we
have
the
right
level
of
controls
in
place
to
meet
internal
and
external
compliance
drivers?
§ Are
we
aligning
our
change
agenda
to
our
strategic
agenda?
Formula=on
§ Development
of
high-­‐level
strategies
and
alloca8on
of
scarce
resources,
including
capital
§ Given
our
business
context,
what
is
our
appe8te
for
risk?
§ Given
our
appe8te,
have
we
got
the
right
business
model?
§ Are
we
comfortable
with
the
assump8ons
we
have
made?

11. Page
§
11
Risk Appetite is the ‘glue’ that brings together Strategy
& Risk Management
Performance
Management
Risk
Management
Strategy
Management
Appe=te
What
are
we
trying
to
achieve?
Are
we
on
track?
What
is
our
Risk
Appe=te?
Are
we
opera=ng
within
appe=te?
Governance
&
Communica=ons
Culture

12. Risk
Culture

13. Page
§
13
What is Culture?
The thing I have learned at IBM is that culture is
everything – LouisV. Gerstner, Jr. former CEO
IBM
Culture Eats Strategy For Breakfast - Peter Drucker
Culture
comprises
an
organisa<on’s
widely
shared
values,
symbols,
behaviours
and
assump<ons
–
Rob
Goffee
&
Gareth
Jones
The
way
we
get
things
done
around
here

14. Page
§
14
What is Risk Culture?
Risk
culture
can
be
defined
as
the
norms
and
tradi8ons
of
behaviour
of
individuals
and
of
groups
within
an
organiza8on
that
determine
the
way
in
which
they
iden8fy,
understand,
discuss,
and
act
on
the
risks
the
organiza8on
confronts
and
the
risks
it
takes.
A
robust
risk
culture
is
a
substan8al
determinant
of
whether
a
firm
is
able
successfully
to
execute
its
chosen
strategy
within
its
defined
risk
appe8te.

15. Page
§
15
Risk Culture Framework
Source:
Taking
Control
of
organisa=onal
risk
culture
-­‐
McKinsey
&
Co,
2010

16. Page
§
16
Risk Culture failings fall into relatively predictable
categories
§ Disregard for risk
§ Over-confidence
§ Business Units evading or distorting risk
management efforts
§ Risk Management failing emerge, with
no apparent consequences
§ Sweeping problems under the carpet
§ Assumptions are not challenged
§ Blind spots as a result of lack of
challenge or excessive challenge
§ Shoot-the-messenger mentality
§ Siloed risk management processes
§ Passivity
§ Not sharing warning signals
§ Indifference
§ Denial
§ Excessive hierarchical organisations no
listening to the front-line
§ Tribal culture
§ Ignorance
§ lack of understanding of risk or risk
management issues
§ Faulty communication of the firms risk
appetite
§ Failure to be clear about who is in
charge of risk issues
§ Ignorance can reflect lack of insight
§ Failure to correct bad behaviours
§ Frequent breaches of procedure,
ignoring of limits, failures to complete
reports, or disregard of compliance
requirements, can contribute to issues
above
§ Excusing the behaviour of those who
are generating high revenue volumes
§ Focusing on ‘hit’ while overlooking
‘Near Misses’
§ Failure to send the correct signals

17. Page
§
17
Culture was seen as a main contributory factors to the
Libor scandal
We
place
considerable
emphasis
on
the
CEO
seDng
the
right
culture,
risk
appe6te
and
control
framework….
Hector
Sans,
FSA

18. Page
§
18
In the wake of a $3B fine for mis-selling drugs, GSK are
transforming their culture
A culture of putting patients first is our priority

19. Page
§
19
Fukushima crisis ‘made in Japan’ - ingrained conventions
of Japanese culture.

20. Page
§
20
The Right Culture should ensure…
The
right
people…
Are
doing
the
right
things…
At
the
right
=me…
With
the
right
amount
of
challenge…
To
seize
opportuni=es
and
manage
threats…
While
opera=ng
within
appe=te

21. Page
§
21
The seven key characteristics of a Strategy-focused, Risk-
aware culture
Strategy-­‐focused,
Risk-­‐
aware
culture
1.
Driven
by
a
compelling
vision
2.
Live
by
a
clear
set
of
values
3.
Led
with
integrity
4.
Align
risk-­‐taking
to
strategy
7.
Incen=ves
are
aligned
to
appe=te
6.
Engage
in
high
quality
conversa=ons
5.
Established
clear
accountabili=es

22. Embedding
the
Tone
from
the
Top

23. Page
§
23
Tone from the top is critical is shaping culture
Vision
Mission
Values
Shareholder
value
Risk
Appe=te
Processes
Key
Controls
Tone
from
the
Top
What
we
do
on
a
day-­‐to-­‐day
basis
What
we
think
on
a
day-­‐to-­‐day
basis
Strategy
Controls
Risks
indicators
Shared
values
Behaviours
Incen=ves
Leadership
Symbols

24. Page
§
24
Strategy Map helps make ‘tone from the top’,
Leadership,Vision ‘tangible

25. Page
§
25
Using drivers to frame appetite setting enables the Board to set
clear a clear ‘tone from the top’ and operating boundaries
Business
drivers
Capital
Income
Reputa=on
Shareholder
value
Share
price
Economic
value
add
Profit
Strategy
Align
Risk-­‐taking
to
Strategy
Manage
Risk
Manage
Performance
Appe=te
Governance
Communica=on
Culture
Appe=te

26. Page
§
26
Using drivers to frame appetite setting enables the Board to set
clear a clear ‘tone from the top’ and operating boundaries
Business
Drivers
Low
Moderate
High
Extreme
Capacity
Limit
Income
X%
Capital
@Risk
X%
Capital
@Risk
X%
Capital
@Risk
X%
Capital
@Risk
Capital
Up
to
X
£M
X
£M
to
Y
£M
X
£M
to
Y
£M
X
£M
to
Y
£M
Above
X
£M
Reputa=on
Up
to
X
vol.
Bad
coverage
Up
to
X
vol.
Bad
coverage
Up
to
X
vol.
Bad
coverage
Up
to
X
vol.
Bad
coverage

27. Page
§
27
Using drivers to frame appetite setting enables the Board to set
clear a clear ‘tone from the top’ and operating boundaries
Business
Drivers
Low
Moderate
High
Extreme
Capacity
Limit
Income
X%
Capital
@Risk
X%
Capital
@Risk
X%
Capital
@Risk
X%
Capital
@Risk
Capital
Up
to
X
£M
X
£M
to
Y
£M
X
£M
to
Y
£M
X
£M
to
Y
£M
Above
X
£M
Reputa=on
Up
to
X
vol.
Bad
coverage
Up
to
X
vol.
Bad
coverage
Up
to
X
vol.
Bad
coverage
Up
to
X
vol.
Bad
coverage

28. Page
§
28
Those same drivers are used in the risk assessment
process
Capital
@Risk
Reputa=on
@Risk
Impact
x
Likelihood
(over
a
=me
horizon)

29. Page
§
29
Appetite Alignment Matrix is a key tool for monitoring the
alignment of Risk-taking to Strategy
§ Enabling
monitoring
of
risks
which
are
outside
of
Appe8te
§ Shows
where
we
are
taking
to
much
and
not
enough
risk
§ Changes
the
risk
conversa8on
§ Answers
the
ques8on:
Are
we
opera=ng
with
in
Appe=te?

30. Page
§
30
Risk Maps is powerful tools for creating transparency
around risk

31. Page
§
31
Effective Controls has an important role in reinforcing
the tone from the top

32. Page
§
32
An accountabilities model is ‘baked’ into our solutions
“The
buck
stops
here”
Those
with
Yes/No
authority
related
to
the
objec8ve,
risk
or
control.
“Keep
in
the
loop”
Those
involved
prior
to
decisions
or
ac8on
related
to
the
objec8ve,
risk
or
control.
“The
doers”
Those
people
working
on
delivering
the
objec8ve,
managing
the
risk
or
applying
the
control.
“Keep
in
the
picture”
Posi8on(s)
that
need
to
know
about
decision
or
ac8on
related
to
the
objec8ve,
risk
or
control.
P

33. Page
§
33
An accountabilities model is ‘baked’ into our solutions

34. Page
§
34
Our solutions provide a number of ‘tools’ to help
embedding the tone from the top
Strategy Map Risk Map
Appetite Alignment Matrix

35. Page
§
35
About StratexSystems
“StratexPoint
enabled
us
to
reduce
the
value
of
our
opera6onal
losses
by
94%,
the
volume
by
63%
and
our
economic
capital
provision
by
23%”
-­‐
Head
of
Opera=onal
Risk,
HML
-­‐
Skipton
group
Our
mission
To
provide
an
integrated
strategy
and
risk
management
solu8ons
which
enhances
strategy
execu=on,
enhance
capital
efficiency
by
15%
and
reduce
opera=onal
losses
25%
while
providing
100%
confidence
that
your
business
is
opera=ng
within
appe=te.

36. Page
§
36
Our solution enables our clients to “control their risks
while executing strategy”

37. Page
§
37
Examples of where our solution has added real and
tangible business value
60%
23%
182
Op
losses
HML
seen
a
60%
reduc8on
in
opera8onal
losses
within
18
months
Regulatory
capital
HML
also
seen
a
23%
reduc8on
in
regulatory
capital
Ini8a8ves
Consolidated
global
pormolio
of
major
ini8a8ves
to
enable
single
view
of
status
&
risk

38. Page
§
38
Free trail of StratexLive
Stratex
Bootcamp
§ 30
day
free
use
of
StratexLive
§ Regular
‘coaching’
session
online
§ Load
your
own
data
§ Add
your
own
users
§ START
NOW