How do I use a risk appetite statement?
29 November 2019
In the fourth blog of this series I consider how a risk appetite statement can be used to manage and monitor risk within an organisation.
The risk appetite should drive key business decisions such as business acquisitions, disposals, client on-boarding/exiting and the deployment of resources.
The inherent risk generated through business activities needs to be managed to within the defined risk tolerances. To do this there needs to be clearly defined policies & procedures, metrics, management information, governance and escalation routes. This is the ‘risk management framework’. The organisation uses its ‘risk management framework’ to manage and mitigate its inherent risks to within its tolerable limits (‘residual risk’) through the design and operation of specific controls and through the effective operation of its broader governance and oversight.
Tolerance for control failures
As well as defining the inherent risk parameters it is important to recognise that, just as it is not feasible to have ‘zero tolerance’ for financial crime (see blog #3), it is also not feasible to have ‘zero tolerance’ for control failures – controls will fail from time to time and as risks change the controls needed to mitigate those risks also need to change. Thus an organisation should define the control effectiveness parameters that it is prepared to operate within e.g. ‘I am prepared to tolerate 3% failure of my KYC process over a twelve month period’.
Thus, once the intolerable risks, the inherent risk parameters and the control effectiveness parameters have been defined, organisations should have clearly understood and defined their financial crime risks to the level they are prepared to tolerate; this is their ‘residual’ or ‘tolerable’ risk.
As part of the design of their risk appetite statement therefore, financial institutions should define a set of metrics (the ‘risk indicators’) that enable them to monitor the organisation’s compliance with its tolerance for inherent risk, its tolerance for control failures and therefore its overall tolerance for risk (‘residual risk’).
Monitoring compliance with risk appetite
The defined risk indicators should be monitored against their defined tolerance levels.
If the defined risk indicators are exceeded, the relevant area of the financial crime risk management framework should be managed and where needed enhanced so the risk indicator is returned to within its defined tolerance limits and the risk reverts to being within its risk tolerance (‘I had agreed to accept a control failure of 3% per annum but I am showing a 5% failure rate’ - I need to fix this’ or ‘I did not want to undertake business with country XXX, but I have acquired a new business with some exposure to this country –I either need to divest these clients, or change my risk appetite statement and/or assess and enhance my controls to mitigate the risk to within my defined tolerances’’). This is in line with the concept of ‘continual monitoring’ which the FCA and other regulators are promoting.
Thus an organisation can understand and manage the financial crime risks generated by its business activities to within its defined tolerance levels and ensure its regulatory obligations are met.
How management govern, oversee and monitor performance against the defined risk appetite is fundamental to the demonstration of the understanding and management of financial crime risk.