Risk Appetite Statements
Putting a focused lens on risk
The Banking Royal Commission laid bare the need for major change on a national scale. At the company level, too, it sharpened the focus on better non-financial and compliance risk management for all stakeholders.
This is not new in terms of risk focus for many sectors, but it was a tipping point for regulatory involvement and oversight of risk management. For many years we have had ASX Corporate Governance Principles that talk to risk appetite and management, and the APRA regulated entities examining risk. But now more action needs to be taken.
Review of risk appetite statements
While the banking and financial services sector remains at the forefront of scrutiny in Australia from a regulatory perspective, ASIC is showing greater interest in broadening that scope. There is also an increased focus on Dutch and UK financial services regulatory authority approaches, specifically their interventionist policies towards board and executive accountability for risk.
Now, there is a greater need to undertake reviews of risk appetite statement (RAS) processes and examine how risk frameworks and activities connect to that risk appetite, through the lens of regulatory expectations.
The purpose of reviewing the RAS is:
- to check if the RAS is appropriately broad and clear;
- to check if metrics work to assess the full spectrum of risk; and
- to check if governance and accountability regarding financial, non-financial and compliance risk is effective.
Our team of experts are here to lend a hand and help you navigate the RAS in the most effective way possible.
Scoping out risk
Key questions to help you identify, asses, control and respond to emerging risks:
- non-financial; and
- What is the board’s process? Both at audit and risk committee (ARC) level and at full board level?
- What are the metrics used for measuring and assessing risk?
- Is the RAS clearly articulated in relation to financial, non-financial and compliance risk?
- How are risk issues considered by the board and ARC on a regular basis?
- Who reports to the board on risk? What is the scope and frequency of their reporting?
- Do reports to the board explicitly address the RAS? Do they align with RAS metrics?
- Does the board understand who is responsible for various risks in the organisation?
- Do the board, executive governance frameworks and skill sets allow achievement of best practice in management of these risks?
- How do you hold management accountable when outside the risk appetite?
- What role does remuneration play?
- Do you require management to undertake root cause analysis?
- Who is responsible for risks identified at an executive level? And what are their roles?
- How do governance and systems relating to risk, facilitate these executives and their functions working together in risk identification, assessment and management?
- Can each of these executives clearly articulate their role in relation to risk?
- Do they know what the RAS of the company is and how it is relevant to the risks they are responsible for?
- How is the RAS reflected in the policies, procedures and reporting that these various executives and functions engage in?
- How does the RMF reflect the breadth of risks to which the business is subject?
- Practically, how does it identify, assess and then plan for those risks?
- Are indicators and metrics aligned with the RAS? Are they increasingly forward looking?
- What data is available/collated/relied upon in assessing risk?
- How is the risk register collated and reviewed? And how often?