How do I use a risk appetite statement?

29 November 2019

In the fourth blog of this series I consider how a risk appetite statement can be used to manage and monitor risk within an organisation.

 The risk appetite should drive key business decisions such as business acquisitions, disposals, client on-boarding/exiting and the deployment of resources. 

The inherent risk generated through business activities needs to be managed to within the defined risk tolerances. To do this there needs to be clearly defined policies & procedures, metrics, management information, governance and escalation routes. This is the ‘risk management framework’.  The organisation uses its ‘risk management framework’ to manage and mitigate its inherent risks to within its tolerable limits (‘residual risk’) through the design and operation of specific controls and through the effective operation of its broader governance and oversight. 

Tolerance for control failures

As well as defining the inherent risk parameters it is important to recognise that, just as it is not feasible to have ‘zero tolerance’ for financial crime (see blog #3), it is also not feasible to have ‘zero tolerance’ for control failures – controls will fail from time to time and as risks change the controls needed to mitigate those risks also need to change.  Thus an organisation should define the control effectiveness parameters that it is prepared to operate within e.g. ‘I am prepared to tolerate 3% failure of my KYC process over a twelve month period’.  

Thus, once the intolerable risks, the inherent risk parameters and the control effectiveness parameters have been defined, organisations should have clearly understood and defined their financial crime risks to the level they are prepared to tolerate; this is their ‘residual’ or ‘tolerable’ risk. 

As part of the design of their risk appetite statement therefore, financial institutions should define a set of metrics (the ‘risk indicators’) that enable them to monitor the organisation’s compliance with its tolerance for inherent risk, its tolerance for control failures and therefore its overall tolerance for risk (‘residual risk’). 

Monitoring compliance with risk appetite 

The defined risk indicators should be monitored against their defined tolerance levels.  

If the defined risk indicators are exceeded, the relevant area of the financial crime risk management framework should be managed and where needed enhanced so the risk indicator is returned to within its defined tolerance limits and the risk reverts to being within its risk tolerance (‘I had agreed to accept a control failure of 3% per annum but I am showing a 5% failure rate’ - I need to fix this’ or ‘I did not want to undertake business with country XXX, but I have acquired a new business with some exposure to this country –I either need to divest these clients, or change my risk appetite statement and/or assess and enhance my controls to mitigate the risk to within my defined tolerances’’). This is in line with the concept of ‘continual monitoring’ which the FCA and other regulators are promoting.

Thus an organisation can understand and manage the financial crime risks generated by its business activities to within its defined tolerance levels and ensure its regulatory obligations are met.

How management govern, oversee and monitor performance against the defined risk appetite is fundamental to the demonstration of the understanding and management of financial crime risk.

Sian  Herbert

Sian Herbert  | Partner, PwC United Kingdom
Profile | Email | -

Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.