Operational Risk Appetite and Tolerance Operational Risk Sound Practice Guidance
An IRM Group Company
Foreword
The Institute of Operational Risk (IOR) was created in January 2004 and became part of the Institute of Risk Management in 2019. The IOR’s mission is to promote the development of operational risk as a profession and to develop and disseminate sound practice for the management of operational risk. The need for effective operational risk management is more acute than ever. Events such as the global financial crisis or the COVID-19 pandemic highlight the far-reaching impacts of operational risk and the consequences of management failure. In the light of these and numerous event organisations must ensure that their policies, procedures, and processes for the management of operational risk meet the needs of their stakeholders. This guidance is designed to complement existing standards and codes for risk management (e.g. ISO31000). The aim is to provide guidance that is both focused on the management of operational risk and practical in its application. In so doing, this is a guide for operational risk management professionals, to help them improve the practice of operational risk in organisations. Readers looking for a general understanding of the fundamentals of operational risk management should start with the IOR’s Certificate in Operational Risk Management. Not all the guidance in this document will be relevant for every organisation or sector. However, it has been written with the widest possible range of organisations and sectors in mind. Readers should decide for themselves what is relevant for their current situation. What matters is gradual, but continuous improvement.
The Institute of Operational Risk Sound Practice Guidance
Although there is no one-size-fits-all approach to the management of operational risk, it is important that organisations benchmark and improve their practice on a regular basis. This is one of a series of papers, which provides practical guidance on a range of important topics that span the discipline of operational risk management. The objectives of these papers are to: • explain how to design and implement a ‘sound’ (robust and effective) operational risk management framework • demonstrate the value of operational risk management • reflect the experiences of risk professionals, including the challenges involved in developing operational risk management frameworks.
2
Contents Introduction 4 Key terms and definitions
5
Risk appetite
5
Risk tolerance
5
Determining operational risk appetite and tolerance
7
Roles and responsibilities for determining operational risk appetite and tolerance
7
Expressing operational risk appetite and tolerance: Qualitative versus quantitative
8
Deciding on the appropriate level of operational risk appetite and related tolerances Implementing operational risk appetite and tolerance Communication
10 11 11
Monitoring 11 Aggregation and reporting
12
Management and decision making
13
Section 5 - Conclusion
14
Appendix A: The operational risk management framework
15
3
Introduction
Risk appetite is an area that attracts diverse views among operational risk practitioners. Depending on the sector, scale and risk profile of an organisation, operational risk appetite frameworks range in complexity and scope. Differences also exist in terminology, with some practitioners preferring the term tolerance over appetite when referring to operational risks. For these reasons, the following paper does not recommend a one-size-fits-all solution. Rather, it outlines a variety of good practices, from which may be drawn a collection of appropriate, relevant, and proportionate ideas. Fundamentally risk appetite, whatever the risk that is focused upon, is about decision making. Every action or decision within an organisation involves an element of risk. The organisation must, therefore, be able to distinguish between risks that are likely to result in value-creating outcomes (e.g. profit, reputation, improved services, etc.) versus those that may destroy value. By determining an appropriate appetite for risk and implementing a framework to ensure that this appetite is maintained, organisations can ensure that decision-makers do not expose them to either too much, or too little, risk. Whilst the focus of this paper is on operational risk, the IOR would expect that an organisation’s appetite for operational risk is part of a broader, enterprise-wide appetite for risk. Operational risk is important to all organisations and the Board and senior management must be engaged in its management. Effective governance and compliance require the management of risks which are typically operational (e.g. fraud, health and safety and conduct-related risks). Also, strategic decisions (e.g. new product development) often require exposure to operational risk and it is important that the Board and senior management are cognisant of these risks and satisfied that the organisation can take them. Organisations that implement a framework for determining and managing their operational risk appetite can achieve several benefits: • Enable the Board to exercise appropriate oversight and corporate governance by defining the nature and level of operational risks it considers acceptable (and unacceptable) and thus set appropriate boundaries for business activities and behaviours • Provide a means of expressing senior management’s attitude to operational risk, which can then be communicated throughout the organisation to help promote a risk-aware culture • Establish a framework for operational risk decision making, to help determine which risks can be accepted/retained and which risks should be prevented or mitigated • Improve the allocation of risk management resources by bringing into focus higher • Priority issues. Specifically, operational risk exposures or control weaknesses that are outside of appetite or tolerance • Ensure that the cost of operational risk management does not exceed the benefits • Align strategic goals and operational activities through optimising the balance • Between business development/growth/returns and the operational risks inherent in pursuing those goals
4
Key terms and definitions
There are no universal definitions of either risk appetite or risk tolerance. Agreeing a universal definition is especially difficult in the context of operational risk, given that most operational risks are framed as ‘downside’ risks which can only result in a loss for an organisation. Risk appetite Irrespective of the academic debate concerning definitions. operational risk practitioners should ensure that their organisation has a clear definition of operational risk appetite that is accepted and understood by its management and Board of directors. A useful starting point is the IRM’s definition of risk appetite from an enterprise-wide context: ‘The amount and type of risk that an organisation is willing to take in order to meet their strategic objectives’ From an operational risk perspective, organisations could replace ‘is willing to take’ with ‘is prepared to accept’ or similar. Operational risks are inherent in organisational activities, but rarely are they sought, because they have no material upside in terms of return/income generation. There are, however, cost/benefit decisions involved in defining an appropriate balance between accepting potential losses on the one hand and incurring costs of prevention and mitigation on the other (including associated operational inefficiencies that introducing a new control could involve). Reducing operational risk exposures to zero is usually not possible or practical. The only way to achieve zero exposure is to cease activity, and that may prevent an organisation from achieving its strategic objectives. The IOR’s view is that financial services organisations, and those operating in safety or environmentally critical sectors (e.g. nuclear, chemical processing, etc.), should adopt an acceptability-oriented definition of operational risk appetite. This is because their operational risk exposures have the potential to cause serious financial and physical harm to stakeholders. In non-financial organisations, and those that do not represent a significant safety or environmental risk, especially those operating in entrepreneurial sectors like technology, a definition that reflects a willingness to take risk is appropriate. This is because risk-taking, including a degree of operational risk, can be a necessary part of exploiting business opportunities, especially concerning the development of new products, supply chains, or manufacturing processes. Risk tolerance As explained above, an organisation’s appetite for operational risk reflects the balance that it is prepared to maintain between the costs of controlling operational risk exposures and the costs of operational risk events. This is a high-level strategic decision that will influence both the resources devoted to operational risk management and the level of risk that is inherent in organisational activities. In contrast, the term risk tolerance is typically used as a specific benchmark for the acceptability of a given operational risk exposure (e.g. internal or external fraud) or metrics, such as a risk or control effectiveness indicator. In this regard, an organisation may decide that it is prepared to tolerate a specific number of operational errors or control weaknesses because their elimination would not be cost-effective.
5
Tolerance can be expressed using a Red, Amber, Green (RAG) based approach: Status
Meaning
Risk Culture Embedding Enablers
Green
Acceptable
No immediate action required, except for routine monitoring
Amber
Tolerable
Investigate (to verify and understand the underlying causes) and consider ways to mitigate/avoid within a specified time period
Red
Unacceptable
Take immediate steps to mitigate or avoid
The thresholds that determine when a risk exposure or metric moves from green to amber and then from amber to red, reflect an organisations level of tolerance. The wider these thresholds the greater the degree of tolerance. Occasionally an organisation may decide that it is not willing to tolerate something. Usually, this is impossible to achieve for specific operational risk events, including highly undesirable ones like fraud or accidents at work. However, it is possible the effects that may be associated with these events, such as the potential for regulatory intervention and enforcement activities. For example, an organisation can never reduce the number of workplace accidents to zero, but it can ensure that it does not breach health and safety rules. Hence it is possible to specify a zero-tolerance for compliance breaches, though not for accidents. Where both tolerance and appetite are used, organisations may either: • Set tolerance limits and thresholds below the agreed appetite for operational risk. From a RAG perspective, this means setting the appetite at the red level and tolerance at amber • Set tolerance limits above the agreed appetite for operational risk. Hence appetite would in effect reflect the amber threshold and the limit of tolerance the threshold for red The first approach is most appropriate in high control environments, such as financial services. The primary benefit is that where a risk exposure (or related risk or control effectiveness indicator) exceeds the amber tolerance limit, it serves as an early warning of a potential appetite breach. The second approach is most appropriate in more entrepreneurial environments where risktaking, including taking certain operational risks (e.g. new product development risks), is a necessary part of an organisation’s strategic objectives. The advantage of such an approach in this environment is that the appetite for operational risk may be exceeded when there is a potential business benefit from doing so. However, it would be prudent for any such decision to receive Board-level approval, especially where corporate governance rules require Boards to oversee their organisation’s appetite for risk. Whichever approach is selected, two fundamental principles remain – a level of exposure to operational risk which may be exceeded in exceptional circumstances and a level that must not be exceeded under any circumstance. In terms of the latter all organisations must not knowingly take operational risks that have a high probability of causing: 1. Death or injury 2. A breach of applicable laws and regulations 3. Financial distress and bankruptcy
6
Determining operational risk appetite and tolerance
Determining appropriate levels of operational risk appetite and tolerance, where necessary, involves many considerations, including the ‘measures’ of expression that should be used and the appropriate level of these measures. As is often the case there is no one optimal approach, though there is sound practice. The key stages in the process are: • agreeing who is responsible for determining operational risk appetite and tolerance • establishing how to express this operational risk appetite and tolerance • deciding on the appropriate levels of these methods of expression Roles and responsibilities for determining operational risk appetite and tolerance The Board In many firms, the current practice is for the Board to consider risk appetite statements drafted by the senior management. This approach often reflects the complex nature of many financial organisations. Unfortunately, this practice can result in anchoring and is open to challenge by supervisory authorities and during Board effectiveness reviews when it could be argued that Boards do not have a wide enough choice of recommendation and are too guided by the work of senior management. The Institute feels that where possible Boards should be more involved in the process of setting risk appetite and should be able to demonstrate a more active role in thinking about and setting risk appetite, albeit guided by the relevant experts. To improve Board engagement an alternative is for operational risk practitioners to limit themselves to designing the process for determining operational risk appetite. This might include providing a template that the Board can use (see Appendix 1) or facilitating discussions by the Board. But it would not include providing specific recommendations about the appropriate level of operational risk appetite. A further advantage of this alternative approach is that directors (whether executive or non-executive) have the broadest possible strategic perspective and should have a clear understanding of stakeholder risk preferences. As a result, they can ensure that the organisation’s operational risk appetite is aligned with its strategic objectives while meeting the needs of stakeholders. One way in which a Board can determine an organisation’s appetite for operational risk is to present them with a template, like that provided in Appendix A. First, individual Board members should be asked to vote on what level of appetite they feel is appropriate for each of the elements within the template. Second, the Board should review and discuss these votes to reach a consensus. Third, the Board should vote a second time and the results used to set the initial appetite for operational risk. The process could be repeated if necessary, should a consensus not be reached. It is recommended that this approach be conducted outside of a scheduled Board meeting, for example during an away day, to allow time for discussion. Once an appetite for operational risk has been agreed, it should take less time to review and update as necessary (at a minimum, annually).
7
Business management Managers across an organisation will be involved in the day-to-day management of a wide variety of operational risks. Some may be designated risk or control owners to reflect their responsibilities for effective risk management. Business managers do not, normally, get involved with determining an organisations appetite for operational risk, given that this is part of a Board’s governance responsibilities. However, they may be involved in determining RAG tolerance thresholds for specific operational risk exposures or risk and control metrics. Where they are involved in setting risk tolerances these should not contradict the overarching operational risk appetite. The operational risk function or equivalent The operational risk function has a dual role: • supporting the work of the Board (see above) • overseeing the work of business managers in determining RAG tolerance thresholds In overseeing the work of business managers, the operational risk function should balance the activities and objectives of specific business units, departments or functions with the operational risk appetite set by the Board. Business managers should not set RAG tolerance limits that may facilitate decisions that are inconsistent with the Board’s appetite for operational risk (e.g. to set thresholds which promote excessive or insufficient risk-taking and control). The operational risk function should challenge tolerance limits where they are concerned about consistency. Where applicable the risk or operational risk committee can be used to support this oversight. The Iinternal audit function Organisations that have separate risk and internal audit functions should not normally involve internal audit in the determination of operational risk appetites or tolerance thresholds. However, they may decide to use the internal audit function to review the process used for determining operational risk appetite and make recommendations for improvement, where necessary. Expressing operational risk appetite and tolerance: Qualitative versus quantitative Operational risk appetite, and specific tolerances, may be expressed in a variety of different ways. Broadly these can be classified into qualitative and quantitative approaches. Qualitative Qualitative expressions rely on written statements that do not involve any quantification. They are useful where operational risks are difficult to quantify and to reinforce the relationship between operational risk and strategic/business management objectives. Qualitative statements can also be used to emphasise specific behaviours or attitudes, and in so doing help to control an organisation’s risk culture. Specifically, qualitative expressions of appetite or tolerance can be used to reinforce several important messages, such as: • To recognise that certain operational risks, however unwelcome, are unpreventable (e.g. terrorism, natural disasters, pandemics), though the effects of these exposures may still be mitigated through appropriate business continuity and crisis management • It is sensible to accept operational risks where the cost of mitigation/avoidance exceeds the expected loss provided there is no risk of bankruptcy, enforcement, or stakeholder harm • Risks will be accepted when the estimated losses are within prescribed tolerance levels 8
• Behaviours deemed to be unacceptable, such as: knowingly breaking the law, breaching regulatory requirements or company policy; damaging the environment; providing poor customer service or exposing people to physical harm • Risks deemed unacceptable, such as: operating within specific countries or selling certain products • The importance of maintaining a good reputation Quantitative Quantitative expressions involve hard data, usually having roots in business management information, which could be any combination of performance, risk, or control indicators. Quantitative expressions tend to be risk or control specific and thus are primarily an indication of operational risk tolerance, rather than overall appetite. Such measures can be accompanied by amber and red thresholds so that it is clear when a breach has occurred or is imminent. The concept of setting zero tolerance thresholds may seem impractical, but they can have a cultural purpose in reinforcing the message that it is not appropriate to accept avoidable losses without question. Strategic level performance metrics that provide a broad expression of operational risk appetite in isolation are rare. One potential measure is the amount of economic or regulatory capital allocated to operational risk. Non-financial organisations do not tend to calculate or allocate capital to specific risk categories, but it is more common in financial services. Where capital is allocated to operational risk, an organisation could express its appetite for operational risk in terms of a risk specific capital buffer. For example, an organisation may allocate a minimum of £10m of capital to operational risk, plus a 10% buffer (an additional £1m), to allow for the fact that unexpected costs may exceed the minimum allocation. The larger the buffer the higher the organisation’s appetite for operational risk. Risk and control specific operational risk tolerance metrics are common, examples include: • Delegated limits of authority beyond which subordinates must escalate for approval • Measures of system or process reliability, for example, no more than xx% chance any business-critical system is unavailable for more than one day in any one year • Reported loss amounts based on budgeting, the aggregate annual amount by business area/ loss type and/or sensitivity i.e. an adverse trend of 5% may be acceptable, 10% tolerable, but 15% unacceptable. Note that thresholds may be set on a per-event basis, for specific risk categories over an agreed period or on an aggregate basis for all operational risks. The aim is to cover both high volume/low value and low volume/high-value types of events. Thresholds may also be used to support reporting and escalation processes, to help identify the level of management or executive attention • Risk/control assessment boundaries to distinguish acceptable/tolerable/unacceptable levels of exposure to specific risk types • Risk and control indicator amber and red thresholds expressed in units that are appropriate for the indicator in question, i.e. numerical count, financial value, percentage, or variance
9
Deciding on the appropriate level of operational risk appetite and related tolerances As explained, the Board of directors is responsible for deciding the appropriate level of operational risk appetite, while business management set operational risk tolerance for specific risks and controls that are consistent with the overall appetite. In deciding on the level of operational risk appetite the Board should consider three primary factors: 1. The strategic objectives of the organisation. For example, an organisation looking to grow, or maintain potential market share may decide to accept a greater level of operational risk 2. The risk preferences of key stakeholders. Where stakeholders are more averse to operational risk a lower level of appetite will be appropriate, and vice-versa 3. The financial strength of the organisation. Weaker organisations should not normally have a high appetite for any sort of risk, given the potential for their crystallisation to cause bankruptcy. Stronger organisations have more scope to take the risk, including operational risks, because they should have the funds necessary to finance the costs associated with risk events When setting tolerance levels for specific operational risks or controls business managers should ensure that these are consistent with the Board’s appetite for operational risk. Whenever tolerance limits are set which are inconsistent, especially if above the agreed appetite this should be passed to the Board (or Board risk committee where present) for approval. Techniques that may be used to set tolerance thresholds include: • looking at historic trends in data series to understand normal versus exceptional, and potentially less tolerable, values • benchmarking with similar organisations or industry standards, for example, an interorganisation comparison of staff turnover or sickness absence or comparing systems availability to recommended standards of availability • benchmarking between different departments or functions within the organisation Where trends or benchmarking information are not available thresholds should be set using ‘expert judgement’, assumptions documented and signed off and the thresholds refined as additional information becomes available. Practical Examples
Example 1 An organisation wishes to set red and amber tolerance thresholds for staff turnover. High levels of turnover can be a signal of declining staff morale and new staff are more likely to make mistakes, so the organisation is most concerned about a sudden increase. Monthly staff turnover usually averages 3% with a normal deviation of 1% (i.e. turnover tends to range between 2% and 4%). Once when the organisation’s turnover increased to 6% for several months a morale issue was identified. Hence the organisation decides to set the amber threshold at 4.5% and red at 6%. Example 2 Red and amber tolerance thresholds need to be set for the availability of a new core system. Though extensive testing suggests that the system is very reliable, no historic data exists regarding the stability of the system in regular daily use. Management set red and amber limits based on their experience with other IT systems and user reactions to failures. Evidence suggests that a non-availability rate of less than 1% is tolerable, but 2% or more can disrupt business operations. Hence the amber threshold is set at 99% availability and red at 98%. 10
Implementing operational risk appetite and tolerance
A framework is required to ensure that operational risk management decisions across the organisation are consistent with the Board’s appetite for operational risk and risk or control specific tolerances. The design of such a framework will vary with nature, scale, and the complexity of an organisation’s activities, but the basic elements of this design remain the same. Communication To ensure they make appropriate decisions an organisation’s operational risk appetite and associated tolerances must be communicated to all staff involved in making operational risk management decisions. This might include those involved in managing activities that necessarily involve an element of operational risk (e.g. the operation of systems, processes, and procedures), as well as those, involved in monitoring and controlling operational risk exposures (e.g. HR and IT staff). Organisations may communicate its overall appetite for operational risk using a range of methods, including staff induction and training, staff meetings, intranet resources and performance reviews. It is recommended that multiple channels are used to ensure the message is received and understood. Tolerance thresholds for specific operational risks and controls should be communicated to all staff involved in the management of these risks and controls, especially risk and control owners if used. Monitoring Procedures should be put in place to ensure that an organisation remains within its chosen appetite and tolerances for operational risk. This will ensure that the organisation uses its operational risk management resources most efficiently while preventing and mitigating its most significant operational risk management exposures. There are two distinct steps involved in the design and implementation of these procedures: 1. Arranging for the required data to be reported by the appropriate party at an agreed frequency. From the outset, it is important to take all reasonable steps to ensure the integrity of the data with respect to completeness, accuracy, and timeliness. It is recommended that operational risk appetite and tolerance reporting is built into existing operational risk reports to save time producing new reports and to prevent overloading management. Such integration will also help management to understand the significance of a change in risk exposure, for example, operational risks that increase in exposure but remain within appetite or tolerance versus those that fall outside of the agreed operational risk appetite or tolerance thresholds 2. The second is the crucial stage of converting data to information by adding context and interpretation (e.g. how the data compares with business performance metrics, whether the data is suggesting the emergence of increased or reduced risk i.e. whether the movement is relatively positive or negative). This entails the identification and investigation of adverse variances and trends and analysing the underlying causes. Some key considerations include, whether: • recurring “ambers” are reflecting a static or worsening position • a cluster of “ambers” represents an overall “red” in aggregate • recurring “greens” may suggest thresholds are not sufficiently sensitive and should be reviewed 11
The monitoring of performance against qualitative statements of operational risk appetite or tolerance is more challenging but should be attempted where possible. One solution is to have regular conversations at the Board, risk committee and risk function level about whether staff behaviours and organisational activities are consistent with these statements. Other relevant functions such as internal audit, HR and IT security may also be involved to gauge their opinion. The value of conversations about operational risk should not be underestimated. It can help to promote risk awareness and identify potential areas of concern. More formal mechanisms to monitor performance against qualitative statements include internal audit reviews, information from staff performance reviews (where adherence to key qualitative statements could be assessed), and investigations into loss events, to determine whether they were partially the result of behaviours or actions included in qualitative statements (e.g. regulatory breaches). Aggregation and reporting Some of the challenges in aggregation and reporting arise from making sense of tolerance thresholds set in different parts of the organisation. If a business unit adopts Group level tolerances it will, almost certainly, report a perpetual “green” status because the scale of its operation is insufficient to breach Group thresholds – thus there would never be any trigger for action anywhere in the organisation. On the other hand, a “red” status at the business unit level may be of little or no significance at Group level and thus dilute the value of the “unacceptable” flag at senior management level. A solution adopted by some organisations involves the recalibration of thresholds at different layers in the organisation. Figure 1 provides an example.
Figure 1
12
The risk exposure on the left of this diagram belongs to Business 1 which represents 80% of Division A, which in turn forms 80% of the Group. In this case, the “red” status at the business level is of similar significance in the context of the Division and Group as a whole. The risk exposure on the right of this diagram is also a “red” risk at the business level because it is significant to the management of Business 4. However, since that business is a small part of Division B, which itself is a small part of the Group, the significance reduces with the escalation up the organisation. Recalibration, at Divisional and/or Group levels, can be achieved by applying a weighting to the reported data according to the relative scale of the initiating business. However, weightings cannot be so low as to remove them from top-level scrutiny: • the implications of poorly managed operational risk in one business may have a contagious effect on the reputation of the Group as a whole • weaknesses in operational risk management may be systemic, meaning that problems in one business may be a signal of issues elsewhere Therefore, the aggregate position needs to be managed on a common-sense basis. However good an aggregated reporting system may be, it does not remove the need for a qualitative and evaluative approach being adopted at the Group centre. Management and decision making An organisation’s operational risk appetite and associated tolerances should be used to drive action. Organisations should not accept exposures or control weaknesses that are outside of either its overall appetite for operational risk or agreed tolerance thresholds. Key decisions include: • Whether it is appropriate to accept the breach for a limited period. After weighing all the evidence, it may the case that a breach could involve a truly one-off exception. In other cases, it may be appropriate to review and re-calibrate previous tolerance levels if they are believed to be too sensitive. It is recommended that such acceptances should be recorded and revisited regularly. • Taking steps to mitigate/avoid and prevent a recurrence. This is likely to be the most appropriate response to a breach of operational risk appetite or tolerance and will require approval to implement some additional or alternative control measures. • Some intermediate management action – for example, conducting extended or more intense monitoring, undertaking additional root cause analysis, or investigating the cost/benefit of mitigation options.
13
Conclusion
Designing and implementing an operational risk appetite and or tolerance framework is challenging. However, the rewards can be substantial. Organisations fail either because of excessive or insufficient risk-taking. By establishing risk appetite and tolerance frameworks they can help ensure that an appropriate degree of risk, including operational risk, is taken in the pursuit of their objectives.
14
Appendix A: Example operational risk appetite template
15
www.theirm.org
Developing risk professionals