Articulation: drive through the challenges

Drive. Not a word you often associate with risk management. Our Drive service is much more than writing effective risk documentation in an efficient manner. It turns what can be a passive annual review process into a dynamic, engaging and ongoing journey with purpose and a destination. And specifically ...

Drive helps you set and get value from risk management. Together with other tools, it helps close any gap between your risk and business functions.

The bottom line: the Drive product

The downside to providing "the bottom line" or summary here is that there are references to later points in this document and to other documents. Sorry.

For obvious reasons, regulators and auditors love risk documentation. You may not enjoy it. But let me convince you how it can be valuable.

Step 1: decide on the value

You can set the target value you want from your risk management effort, in terms of what risk management should do and its intended effect on your organisation, including its decision making. With care you can go further and quantify in advance its intended effect, then track to see if those benefits have been secured.

The section "... the world's first CRO speaks" below suggests a broad scope for enterprise risk management, including performance optimisation. Other organisations believe that short- and long-term stakeholder value should also be in scope. A risk and vision and plan would clarify corporate beliefs in this area.

The value is a combination of your attitudes towards risk management, your "risk" and "non-risk" capabilities and your external environment:

Step 2: deliver the documentation

I can help you cut documentation down to size and make it something than sets direction and yield value.

DocumentBoard incl NEDsFront line executivesRisk functionCoverage
Risk vision and plan Co-drive(*) Deliver risk-adjusted return Co-drive What you want to achieve: the value you expect from risk management.
Risk strategy Co-drive(*) Comment Co-drive What you are going to do: the "products" e.g. optimisation through FAB-testing
Risk framework (*) Comment Drive The tools and process to deliver the products e.g. risk process, reporting etc.
Risk appetite Drive(*) Deliver risk-adjusted return Facilitate Limits and targets for risk and uncertainty to (e.g.) optimise value.
Risk policies (*) Co-drive Co-drive Delivery details – typically at the "risk type" level.

(*) The Board signs off all such documents but may have additional roles, as suggested above. The section "Beyond the risk vision and plan" below covers what these documents look like in practice. Some suggest that the key is the risk appetite document, but I believe the risk vision and plan is a truer guide.

My Drive service can help you:

  • get value from risk management – the emphasis in this document – through the risk vision and plan and more
  • close any gap between your risk and business functions – Drive is one of several tools which contribute to this

Perhaps because they don't see the value, few have an appetite for this sort of work. I have the patience and tenacity to help you drive this through.

In reality the above is not a complete list of risk-related documents. There will probably be risk-related disclosures in the company accounts, while UK insurers will also have an Own Risk and Solvency Assessment (ORSA) – noting that the ORSA is supposed to be far more than a report. I can help with all these.

What risk management should be about: the world's first CRO speaks

There are three major business applications of risk management:
loss reduction, uncertainty management and performance optimisation.
The combination of all three is enterprise risk management. Source: James Lam – the world's first Chief Risk Officer

Others agree:

Enterprise risk management is the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources to increase the organization’s short- and long-term value to its stakeholders. Source: US Casualty Actuarial Society

Setting and getting the value of risk management

If risk management adds value how would you know?

To calculate profit you need to say what it is; naively some variation on income less outgo. Similarly the value of a company should be defined e.g. via a discounted cashflow model or alternatively as simply the market capitalisation. In this way you can do things like target an increase in the defined quantity.

But there is no general agreement on the value of risk management, so it's especially important for a company to define the value for itself.

Despite this, discussing the "value claims" for risk management, risk expert Bill Panning claims:

Notably scarce, for example, are papers that describe and critique alternative strategies for managing firm-wide risk or that define what is meant by "adding value" and propose ways that this could be implemented and measured in practice or even in principle. Bill Panning writing in Managing the Invisible

What are we to do? I suggest there are two risk-related documents that should stand out:

  • Risk vision and plan: The "what", in which we set out the nature of the value we intend to get from risk management.
  • Risk framework: The "how", in which we explain the mechanics of how that value will be achieved.

Both documents should start with the core business: what are the decisions, how can they be optimised, what are the uncertainties? Lam in practice.

Setting the value: the risk vision and plan

This is the first port of call for those interested in a firm's risk management. It sets out the Board's position in respect of Lam's a-b-c, accepting or rejecting Lam's claims and, where appropriate, proposing alternatives and/or improvements. This short but ambitious document:

  • Makes things explicit: Say what risk management is – and what it is not – from the firm's perspective.
  • Links risk and value: Conceptually to objectives and activities. Quantitatively, insofar as is possible. In this way it sets the value of risk management.
  • Sets limits on risk management: Eventually the "doing" of more types of risk management runs into diminishing returns.
  • Sets a plan: Not all the vision is achievable on day one. The vision is for improvement.

A risk vision and plan describes your firm's attitude towards and aspirations for risk management. It documents any targets beyond the regulatory minima. The policy will also reflect the firm's various ("risk" and "non-risk") capabilities and its external environment. Risk management should add most value where:

  • Your attitude. Positive and keen to learn more about Lam's claims for ERM.
  • Your capabilities. Show integrity, intelligence and drive. Open to qualitative and quantitative approaches. Have skills or can recruit.
  • Your environment. Competitive – and you're "in the pack".

For more read A risk vision and plan.

My Drive service can help you set value from risk management. Understanding the business and the potential value of risk management is key. Let's talk.

Getting the value: the risk framework

Strategy authors now acknowledge that deliver of strategy is both critical and non-trivial. The balance is not "90% strategy development, 10% strategy delivery". Similarly to get value from risk management setting aspirations and targets is necessary but insufficient. We need to say how we're going to deliver.

The risk framework (document) is longer than the vision and plan, setting out the mechanics of how the risk vision and plan will be delivered. Each tools and process should be related back to the vision and plan. Also covers risk governance, committees, role and responsibilities etc.

The diagram

This shows a high level view of our 4A minimalist risk framework. The diagram points to "what" and "who". A framework also covers "how" in appropriate detail.

4A key features

Next steps

For more read A better risk framework and What really matters.

My Drive service can help you get value from risk management. I have the patience and determination to help you drive through when the going gets tough.

Beyond the risk vision and plan

Risk documentation: a recap

DocumentBoard incl NEDsFront line executivesRisk functionCoverage
Risk vision and plan Co-drive(*) Deliver risk-adjusted return Co-drive What you want to achieve and why: expected value of risk management.
Risk strategy Co-drive(*) Comment Co-drive Who does it and how: people and committees using certain products.
Risk framework (*) Comment Drive Who and how: The detailed tools and process to deliver the above.
Risk appetite Drive(*) Deliver risk-adjusted return Facilitate How much? Limits and targets for uncertainty to (e.g.) optimise value.
Risk policies (*) Co-drive Co-drive Delivery details – typically at the "risk type" level.

(*) The Board signs off all such documents but may have additional roles, as suggested above.

In practice some documents (e.g. vision and strategy or strategy and framework) may be combined. But I suggest a risk vision and plan is the starting point and that it should cover directly Lam's a-b-c approach – see "What risk management should be about" above. Being clear is the best route to getting value.

What do these documents look like in practice?

We can consider this across several dimensions.

Content. This is covered in the last column of the table above. But if you search for documents online you will find that many organisations' overall risk policies are a combination of what I have called risk strategy and risk framework. But more importantly it seems that:

  • Few organisations make an effort to spell out the value of risk management, except in the most bland terms (*).
  • All seem to move on quickly to risk types, risk registers, probability and impact, heatmaps etc.
  • The link between these risk register and ordinary "non-risk" decision making is, at best, unclear. Gap approaching...

(*) This could be a commercial issue, with (e.g.) financial firms being generic in their accounts and explicit in their internal documents. What do you think?

Take a moment to reflect on my claim: few set their expectations for risk management value. What value do you think they get? Is a gap likely?

Risk documentation: getting traction

The diagram on the left shows a process that may be familiar to you. It's time for the annual review of a risk document – perhaps the risk framework. A month or so before the relevant Board meeting the risk framework document is taken off the shelf (OK, retrieved from the network).

The central risk function takes soundings (perhaps) and proposes changes, reflecting developments in the year and/or what they would like to happen. "Risk owners" are asked for approval. Approval obtained, the revised document gets sent off to the Board. The Board signs it off. The document goes back on the shelf (network).

How much better is we could get to the diagram on the right. Start with the risk vision and plan, which explicitly articulates the value of risk management, the Board's approach and the trade offs between risk and return. The Board is engaged, because it's about maximising risk-adjusted returns, not just loss reduction.

  • The Board co-drives and signs off – open to new ideas and challenging the risk function and executives where appropriate.
  • the risk function: responsibility for explaining and demonstrating the value of risk management on a forward- and backward-looking (performance) basis.
  • Senior executives: fully on board as the "client" of the risk function and demanding the best tools to help them maximise risk-adjusted returns.

The key word is WHY. Rather than simply being a list of who does what and when, risk documents say why and so are open to challenge and improvement.

It's what, why and who, not just what and who.

Practical suggestions for an effective and efficient suite of risk documents

  1. Primary role for the risk vision and plan: As argued in "If risk management adds value how would you know?" above. No direction = no progress.
  2. Clear role and responsibilities: As suggested in the table above – based e.g. on expertise and probably set in the framework document.
  3. Documents with "edge": Documents (e.g. risk policies) should not be near copies of each other and should be open to challenge and improvement.

We end with two challenges reflecting the "edge" referred to above.

Practical challenge: risk appetite

Many (including regulators) regard risk appetite statements and frameworks as central to the management of a risk-based organisation e.g. a bank.

Risk appetite today is a core consideration in any enterprise risk management approachSource: The Institute of Risk Management: executive summary of Risk Appetite and Tolerance research

The IRM's six key principles are that risk appetite:

  1. can be complex: a warning against the dangers of excessive simplification.
  2. needs to be measurable: to avoid risk appetite statements being vacuous.
  3. is not a single, fixed concept: it may, for example vary over time.
  4. should reflect your risk management capability: as determined by your risk capacity and risk management maturity.
  5. must reflect views at a strategic, tactical and operational level: it must "work" at these different levels.
  6. must be integrated with the control culture: reflecting propensity to take and control risk.

Despite the complexities in the IRM's first principle, the original aim of risk appetite may simply have been:

The common factor in these initiatives is the attempt to influence directly by policies and their implementation important decisions taken inside organizations, in such a way that the limitations of knowledge are better handled. In other words, the aim is to get people to think effectively about 'risk' in some sense when they make important decisions.Source: Matthew Leitch: Making sense of risk appetite, tolerance and acceptance

Matthew highlights various ways of making risk appetite operational (I've added some of my own):

  • Risk adjusted performance measurement: especially in financial institutions. These at least seek to integrate risk and return.
  • High level risk appetite statements: Matthew doesn't like these, but they can reflect the organisation's business model.
  • High level risk limits: an example is economic capital by risk type, encouraging a mix in the interests of diversification.
  • Low level risk limits: e.g. percentages invested in an asset class, territory, non-investment grade credit. Limit on exposure to a particular reinsurer.
  • Net risk targets in risk register: another "limit" is the "red zone" to the north-east of the probability-impact grid. Weak, for many reasons.
  • Other possibilities: there are many other areas subject to limits – e.g. project approval – which might be considered part of risk appetite.

A good risk appetite statement will make sense of the above and more:

  • Measurable target levels of risk / uncertainty – the IRM calls this risk appetite.
  • Limits on risk / uncertainty – the IRM calls this risk tolerance.
  • The integration of the above risk levels with expected return. This might be RAROC and our development FAB-testing.
  • Multiple metrics. Perhaps not just value at risk but earnings and cash.

Practical challenge: the risk type conundrum

The systems and controls part of the (former) FSA's handbook implies than regulated organisations should cover at least 6 risk types: insurance, credit, liquidity, market, operational and group risks. There is an obvious incentive for a financial institution to align its risk policies in this way. But here's the interesting question:

To what extent is the management of risk (and development of policies) at the type level the responsibility of the company's (a) risk function – and potentially Chief Risk Officer – and (b) front line staff and executives?

My brief suggestions:

  • Development of risk policies: co-driving as per the table above.
  • Risk assessment: driven by functional experts in the "front line".
  • Risk management: control aspect as above.

Initially this may look as though we are not asking enough of the risk management function. I suggest that the skills of a central team are better deployed in oversight, developing corporate decision making and risk management tools (e.g. versions of RAROC). Risk team members with particular functional expertise may be deployed within a central team, although Lam suggests a risk-based role within a business function can be helpful for integration and communication purposes.

The A T Kearney view is worth re-quoting:

Centralize process ownership, decentralize decision making Source: AT Kearney – Seven tenets of risk management in the banking industry
© 2014-2017: 4A Risk Management; a trading name of Transformaction Development Limited